dpndncY

Optional Sigstore-keyless signing.

When an OIDC token is available (GitHub Actions, GitLab CI), sign via Fulcio and log to Rekor instead of using your long-lived keypair.

Executable docs ship with the install
The full reference for this topic — configuration files, code samples, CLI flags, API endpoints — ships inside every dpndncY installation so it always matches your installed version. This public-preview page lists what the in-product docs cover.

In the in-product docs

  • When to use it (public-verifiability without key management)
  • When not to use it (air-gapped, regulated workloads)
  • OIDC issuer requirements
  • Verification: cosign vs. dpndncy-verify with --transparency-log