cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
Cosign initially was created as a binary, and with it's use being quite wide and popular there's been more and more users that have expressed desire to use Cosign in...
(This is written about GitHub so we have a specific example, but applies to all future CI/CD providers!) Right now, you need to deal with a menagerie of flags to...
When performing tasks such as signing a blob, the authentication page that gets served to the user times out quickly. From a security perspective, it makes sense to serve the...
**Description** Fail to get public key from Azure key vault on cosign version `v2.1.0`. Seems like a malformed url for fetching a key `https://.vault.azure.net/keys/https://.vault.azure.net//` instead of `https://.vault.azure.net/keys/` ``` Run cosign...
**Description** Gitpod is a remote workspace solution that has the ability (still in BETA) to generate JWT tokens to authenticate users within a workspace against external services like Sigstore, Vault...
**Description** I am trying to sign OCI-Images with cosign within a gitlab-ci pipeline. Auto-generating the keypair and the corresponding project variables worked fine. When I try to sign an image...
**Description** There's a lot of duplicated and almost-duplicated code in the verify, verify-blob, verify-attestation, and verify-blob-attestation subcommands. I wrote a short doc suggesting how to refactor them and would like...
**Description** Getting the error ``` $COSIGN_REPOSITORY: repository can only contain the characters `abcdefghijklmnopqrstuvwxyz0123456789_-./` ``` Our repository has a port in it e.g. `repo-app.datacenter.net:5001`. Cosign is able to handle that just...
I am testing in Azure Devops(ADO), where our Agent are running in AWS(Self hosted Ec2 instance). We have to keep the keys in Azure Key vault. So we use Service...
**Description** When I sign a container with this Vault ACL policy `path "gitlab/*" { capabilities = [ "read", "list", "update" ] }` that's work  BUT is **not secure** When...
