There is almost no debate that digital signing is an important best practice for securing the software supply chain, e.g container images, git commits and any software artifact that is involved in the SDLC. But managing keys is cumbersome, associating keys with actual human or workload identities is cumbersome, rotating and revoking keys is just annoying. Sigstore - an open-source project under the Open Source Security Foundation (OpenSSF) provides a robust solution to these problems. And it works nicely with keycloak as an OIDC provider. In this talk, we explore the history of digital signing, the challenges and demo a viable solution based on Open Source technology.