Native Signing Support In Cloudsmith Extended To Docker, NuGet, And Swift

The importance of software artifact integrity is highlighted as breaches can have severe consequences, including data breaches and system takeovers. Cryptographic signing is a highly effective defense against artifact poisoning, which verifies the authenticity and integrity of artifacts by using digital signatures unique to each software developer's private key. Two approaches are discussed: native signing, which integrates well with artifact workflows and ensures automatic verification, and non-native (third-party) signing, which requires additional manual steps for verification. Native signing plays a role in maintaining compliance with industry regulations by ensuring that software artifacts are verifiable, traceable, and tamper-proof. Cloudsmith supports non-native signing for all package formats, including Swift, NuGet, and Docker, and offers native signing support for these formats to improve workflows and reach compliance. Automated signing for Docker images uses Sigstore's Cosign, while native signing of NuGet packages uses an X.509 certificate, and Swift packages use ECDSA private key in combination with an X.509 certificate.