This document discusses Sigstore, a new standard for signing, verifying, and protecting software. It provides three key pieces - Cosign for signing things, Fulcio for signing with short-lived certificates, and Rekor for verification and monitoring. Sigstore allows signing of software artifacts, documents like SBOMs and attestations, and git commits. Attestations provide signed statements about software, and Sigstore ensures their integrity. Sigstore supports achieving different levels in the SLSA framework for supply chain security. It also aligns with frameworks from NIST and CIS. Tools like Gitsign allow "keyless" signing of git commits to meet requirements for verified history and two-person review.