cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
#### Summary Closes #3669 Currently while doing the verification of signatures cosign does not check the MediaType of the layers before downloading those. In the case when some one mistakenly...
This could work something like: ``` 1. Go through a k8s object looking for images 2. For each image, pull do something like "cosign verify" and get all verified payloads...
The SLSA attestation model [1] defines a "statement" as an in-toto attestation, e.g. as "https://in-toto.io/Statement/v1" [2]. This statement contains both the predicate (e.g. "provenance" / "cyclonedx") as well as the...
**Description** The idea is actually came from here[^1]. We can support verification of the signature with multiple public keys, I couldn't think over the design much yet but, at the...
**Description** During signature verification cosign calculates the signature tag by using the artifact digest. ArtifactPath:sha256-Artifact Digest.sig Using this tag cosign download the signature manifest. once signature manifest is downloaded cosign...
**Question** I have been working to get cosign to use an externally generated key pair for signing. Using OpenSSL to generate the P-256 key pair, I then used yubico-piv-tool to...
**Description** I signed an image including a timestamp from Digicert (using http://timestamp.digicert.com). To verify that signature I had to get the TSA certificate that they publish. For example here (https://knowledge.digicert.com/general-information/rfc3161-compliant-time-stamp-authority-server)....
**Description** The OCI spec defines the use of annotations to contain arbitrary metadata. While `cosign` supports creating key, value pairs when signing, these are added into the `optional` section and...
Swap the use of the go-tuf v0.7.0 client from sigstore/sigstore to the v2.0.0 client from sigstore/sigstore-go. This change strictly adds logic to attempt to use the sigstore-go TUF client if...
#### Summary Working towards #3139. There are several `cosign` commands that now support the new protobuf bundle format. Users may have signed material in other formats, and this pull request...
