Sign and verify software artifacts, containers & SBOMs
Release binaries, container images, and SBOMs signed under your own certificate authority — verifiable with stock cosign, anchored on Bitcoin and a public transparency log. Supply-chain proof that drops into the pipeline you already run.
For dev teams, devops, platform and security engineers.
Four guarantees, in software supply chain
The exact bytes that shipped
A signed artifact can't be swapped or tampered — the signature is over its precise contents, and cosign catches any change.
Your own code-signing root
Every signature and attestation chains to a published root you control — no third-party trust list, no Fulcio dependency.
An independent record of the release
Artifacts are timestamped on Bitcoin and recorded in the public transparency log — provable evidence of what shipped, and when.
Verified with stock cosign
Downstream consumers run unmodified cosign — no bespoke tooling, and no dependency on Let's Seal to check a signature.
From your file to a proof anyone can check
The same pipeline every time — the seal and the timestamp travel with the file, so the proof is self-contained.
Seal it in the app — no setup
- 1
Create your org and code cert
Sign in at app.letsseal.org and create your organisation. It provisions a code-signing certificate (EKU codeSigning) that cosign recognises.
- 2
Get an API key for CI
Generate an API key in Settings and add it to your CI secrets. From here, sealing is one CLI call in the pipeline.
- 3
Sign in the pipeline
Run sealbot on your build artifacts, images, and SBOMs (below). Nothing but the digest leaves the runner.
- 4
Publish the proof
Ship the signature, cert, and attestation next to the release. Consumers verify with stock cosign — or open the transparency-log record.
Automate it from your terminal or CI
The sealbot CLI does the same thing, scriptably — one command per file, straight into your pipeline.
# Sign a release artifact (cosign-compatible)
$ sealbot sign-blob app-2.1.0.tar.gz --org examples
signed app-2.1.0.tar.gz (cosign-compatible artifact seal)
sig app-2.1.0.tar.gz.sig
cert app-2.1.0.tar.gz.pem (+ app-2.1.0.tar.gz.chain.pem)
# Attest an SBOM (SPDX / CycloneDX / SLSA provenance)
$ sealbot attest app-2.1.0.tar.gz --org examples \
--predicate sbom.spdx.json --type spdxjson
wrote app-2.1.0.tar.gz.att.bundle
# Anyone verifies with stock cosign — no Let's Seal required
$ cosign verify-blob --certificate app-2.1.0.tar.gz.pem \
--certificate-chain app-2.1.0.tar.gz.chain.pem \
--signature app-2.1.0.tar.gz.sig \
--certificate-identity-regexp '.*' \
--certificate-oidc-issuer-regexp '.*' --insecure-ignore-tlog \
app-2.1.0.tar.gz
Verified OKsign-image signs an OCI image in its registry so `cosign verify <image>` works; attest-image attaches an SBOM or SLSA provenance to an image. Everything chains to your own published root.
A signed release + SBOM attestation
The proof here is the verification itself: stock cosign confirms the artifact's signature and the SBOM attestation against your published root — reproducible on any machine.
What you’ll seal
- Build artifacts
- Container images
- SBOMs (SPDX / CycloneDX)
- Release binaries
- SLSA provenance attestations
Straight answers
- Does this work with stock cosign?
- Yes. Signatures and attestations verify with unmodified `cosign verify-blob` and `cosign verify-blob-attestation` — the artifacts are cosign's native format, chained to your published root.
- Do I need Fulcio or a public Sigstore?
- No. Let's Seal is your own CA, so you sign under a root you control and publish. The same cosign commands verify against it, with no keyless-OIDC round trip required.
- Container images and SBOMs too?
- Yes — `sealbot sign-image` signs an OCI image in its registry, and `sealbot attest` / `attest-image` attach SPDX, CycloneDX, or SLSA provenance that cosign verifies.
- Where does the timestamp come from?
- Each seal is anchored on Bitcoin via OpenTimestamps and recorded in a public, append-only transparency log — an independent record of the release that doesn't depend on your CI logs.
Start sealing software supply chain documents
Free and open. Seal in the app, automate from the CLI, and hand anyone a proof they can verify themselves.