cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
I frequently see a misconception that the `--cert-email` is sufficient to verify the authenticity of an artifact. However, it's possible that some crappy OIDC provider issues OIDC tokens containing *any*...
Signed-off-by: Batuhan Apaydın Co-authored-by: Furkan Türkal #### Summary You can test this with the following path: > do not forget to install conftest to push rego policies suitable with their...
This mostly copies the functionality of image attestation and blob signing. Signed-off-by: Michael #### Summary This will allow users to attest local blobs similar to attesting images, following a similar...
**Description** The `cosign veify*` sub-commands allow passing multiple image references. However, it's not obvious how to interpret the output on either failure or success. Given that an image may have...
**Description** It should be possible to sign an image specified by digest that doesn't (yet) exist in the registry, so long as the user has permission to push to the...
**Description** It seems like `verify-attestation` allows you to check for annotation key pairs, but does not recognize the flag. It also is not "verified" content FWIW. Also, `attest` does not...
**Description** Docker has just announced a docker desktop extensions sdk. Explore if this is something cosign can integrate with to provide image verification during pulls and signing during push. See...
**Description** The tag naming scheme cosign relies on to attach signatures, SBOMs, etc., to images in any OCI registry is not very well documented. https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md#tag-based-discovery mentions the `.sig` suffix for...
**Description** The behavior is different when you use ` cosign sign --key xxx us-docker.pkg.dev/$PROJECT/$REPO/my-image `(signature will get appended, `xxx.sig` records all signatures) and ` cosign sign --key xxx us-docker.pkg.dev/$PROJECT/$REPO/my-image:sha256@xxx `(signature...
**Description** [`github.com/sigstore/cosign/pkg/providers`](https://pkg.go.dev/github.com/sigstore/cosign/pkg/providers) provides an interface for OIDC token providers and some common implementations, in subpackages (e.g., `pkg/providers/google`). The interface is agnostic to providers' dependencies, and doesn't have any deps outside...