cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
Please see https://github.com/sigstore/policy-controller/pull/112 for more context. TLDR - without this being removed, policy-controller will crash on startup due to conflicts with the klog dependency. This appears to be brought in...
#### Summary This PR is add the ability to load the images from files to a local registry (docker daemon). The scenario is the following: - `cosign save` - `cosign...
#### Summary https://github.com/sigstore/cosign/issues/1660 Currently the signing logic lives in `cmd/cosign/cli/sign`, this PR moves signing logic to `pkg/sign`. Moving to pkg/sign allows other projects to include in their tools. #### Release...
**Question** Does cosign supports signing of local images ? I am trying to sign a local image but getting this error ``` cosign sign --key /tmp/cosign/cosign.key /tmp/cosign-test:1.0.0 error: signing /tmp/cosign-test:1.0.0:...
Ref: #1381 #### Summar Many vulnerability scanners are unaware of the type of environment in which they are used. The consensus in some issues for this spec seemed to be...
**Description** In keyless mode with Cosign 1.9, an attestation that is attached to a container image using `cosign attach attestation` is not returned in a `cosign verify-attestations` command with others...
**Description** Is it possible to support a Docker registry that is hosted behind a mTLS endpoint? My webbrowser does use my certificate towards this artifactory instance to do the mTLS...
**Description** We (@@developer-guy) noticed a strange behavior: If there is no attestation, and we passed `--replace` flag, it creates new `.att` but does not attach any `layers` in the manifest....
As cosign gains momentum, invariably there will be more and more requests from the community for ways to integrate into more complex key management services and solutions. Enterprises are likely...
### Problem Cosign's module dependencies are pretty heavy. Its [go.mod](https://github.com/sigstore/cosign/blob/f005e25466c3b6954546b718ce3a56d0efd6ec2b/go.mod) currently transitively depends on k8s.io/client-go, the AWS SDK, the Azure SDK, a GCP cloud storage API client, Docker internals, fsnotify,...
