What is artifact signing in deployment practices?

• A. Encrypting artifacts for transport.
• B. Signing deployment logs to ensure audit.
• C. Digital signing of artifacts to verify integrity and provenance during deployment.
• D. Signing scripts to speed up deployment.

Answer: (C)

Artifact signing is digitally signing the artifacts produced in the build so their integrity and origin can be verified during deployment. The artifact is signed with a private key, and the deployment system checks the signature with a trusted public key or certificate. This creates a tamper-evident guarantee: if the artifact is altered or not from the claimed source, the signature won’t verify. It helps prevent tampering in transit and in the repository and supports trust and provenance across the deployment pipeline. This differs from encrypting artifacts for transport (which protects confidentiality) and from signing logs or signing scripts (which relate to audit or authenticity of those items but don’t ensure the artifact’s integrity and provenance).