Cloudythings Blog

Signature Verification in Multi-Cloud Reality

Synchronizing Sigstore, AWS Signer, and Azure Key Vault to enforce provenance across multi-cloud deployments without slowing releases.

April 30, 2024 at 09:27 AM EST 12 min read
Signature VerificationMulti-CloudSupply Chain SecurityGitOpsPlatform Engineering
Platform engineers comparing security policies across cloud providers
Image: Zbynek Burival / Unsplash

Sigstore made signing easy for cloud-native teams, but many enterprises live in multi-cloud worlds with existing trust systems—AWS Signer, Azure Key Vault, Google Binary Authorization. The challenge is unifying provenance without fragmenting developer workflows.

We built a multi-cloud signature verification fabric for a fintech client operating in AWS, Azure, and GCP. Here is how it works.

Establish a universal signing policy

Policies describe:

  • Accepted signer identities (GitHub OIDC, GitLab CI, self-hosted pipelines).
  • Required attestations (SBOM, test results, security scans).
  • Verification backends per cloud.

Policies live in Git as OPA/Regula rules. Every deployment references the same policy, ensuring consistency.

Keyless first, cloud-native fallback

Our hierarchy:

  1. Sigstore keyless signing using Fulcio certificates backed by workload identity. This covers most workloads.
  2. AWS Signer for regulated workloads requiring AWS-native keys. We synchronize signatures to Rekor for transparency.
  3. Azure Key Vault for services running in Azure App Service or AKS, using managed identities to sign.
  4. Google Binary Authorization for GKE workloads, enforcing attestation policies.

Pipelines abstract differences away. Developers run ct sign artifact and the platform decides which backend to invoke based on service metadata.

Security engineer reviewing multi-cloud signature dashboards
Photo by Christopher Gower on Unsplash. Transparency builds trust.

Unify verification

Deployment controllers call a verification service that:

  • Fetches signatures from Sigstore, AWS Signer, or Azure.
  • Validates against policy (subject, expiration, claims).
  • Records verdicts in a central evidence store.

Argo CD, Spinnaker, and Terraform apply stages consult this service before promotion. If verification fails, the deploy pauses with detailed messaging.

Distribute trust bundles

Trust stores (Fulcio roots, AWS/Azure certificates) are versioned in Git. Agents sync updates automatically. We run smoke tests whenever trust bundles change to avoid outages—mirroring how Let’s Encrypt and major clouds treat trust rotations.

Audit and incident readiness

We provide:

  • Audit dashboards showing signature coverage by environment and cloud.
  • Incident enrichment linking each deployment to its signatures and attestations.
  • Compliance packs exporting signature data for regulators (SOC 2, PCI DSS).

When auditors ask “Who signed this binary?”, we answer instantly.

Multi-cloud signature verification is achievable without drowning developers in bespoke tooling. A unified policy, automated backends, and transparent observability turn provenance into a superpower—not a checkbox exercise.