The Sigsum Project

Sigsum is a free and open source software project that brings transparency logging to signed checksums. The overall design is kept general by not logging a more concrete data structure like TLS certificates.

  • [x] Discoverability of signed checksums for the data of your choice
  • [x] Centralised log operations but distributed trust assumptions
  • [x] Minimalistic design that simplifies log operations and usage

Sigsum logging can be used to make a signer's key-usage transparent. For example, malicious and unintended key-usage can be detected. Transparent key-usage also facilitates verification of falsifiable claims.

Examples include:

  • Everyone gets the same executable binaries
  • A domain does not serve malicious javascript
  • A list of key-value pairs is maintained with a certain policy

Please refer to the sigsum logging design document, API specification, and public prototype to learn more. There is also an archive of meeting minutes and discuss pads. All project repositories are located at git.sigsum.org.



Chat with users and developers on IRC or Matrix. The rooms are bridged so it does not matter which one you choose.

There are open video/voice meeting on Tuesdays at 1200 UTC, in the 'sigsum' Jitsi room.


Subscribe to the Sigsum-general mailing list by sending an email with 'subscribe' in the subject to


or use the form at the list info page.

After being subsribed, you can provide feedback, report issues, and submit patches by sending an email to the list, at