Software signatures have an expiration date that could outlast the cryptographic methods securing them. For instance, a container image signed today might remain in use for decades, but its SHA-1 signature could become obsolete in a fraction of that time. Sigstore, an open-source tool for software signing, initially prioritized security by hard-coding algorithms like ECDSA with P-256 and SHA-256. While this approach protected against pitfalls seen in other systems, it has become restrictive as user needs have evolved. To tackle these limitations, Trail of Bits collaborated with the Sigstore community to introduce cryptographic agility. They established a centralized algorithm registry for managing cryptographic standards and updated the tools—Rekor and Fulcio—to accept configurable algorithm restrictions. Users can now choose their preferred signing algorithm when generating ephemeral keys through Cosign. The new design includes predefined algorithm suites to prevent risky combinations and ensures that algorithm choices come from external policies, not the data being signed. A key concern with cryptographic flexibility is security vulnerabilities, such as those seen with JWT tokens that allowed forgery through poor algorithm signaling. Sigstore's solution involves creating a structured approach to algorithm selection, which reduces the risk of these attacks. The implementation was done in three phases: creating the algorithm registry, updating services to accept custom algorithm sets, and integrating these updates into client tools like Cosign. This systematic effort has laid the groundwork for incorporating future cryptographic standards, including post-quantum algorithms, ensuring that Sigstore remains relevant and secure.