cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** In the meantime, cosign has two different ways of verifying the integrity of attestations, CUE, or Rego policies. In this issue, I'm proposing to add a new way of...
Some things we could do here to make sure we have good test coverage: - [ ] Make sure unit tests are thorough - [ ] Reorganize integration tests (they're...
**Description** We've been happy to be using Cosign with KEDA! We have noticed, though, that when storing signed container images on GitHub Container Registry the pull metrics in GitHub are...
**Description** The cosign CLI allows setting `--signature-digest-algorithm` to one of `sha224|sha256|sha384|sha512` to accommodate [the many hash algorithms that might have been used with elliptical KMS keys](https://github.com/sigstore/sigstore/blob/eaea65e41486b908672b6b48eea37cf99ec7ca14/pkg/signature/kms/aws/client.go#L152-L163). The [current `ClusterImagePolicy`](https://github.com/sigstore/cosign/blob/623d50f9b77ee85886a166daac648455e65003ec/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go) API...
This came up in the context of OPA in slack - they'd like to provide a builtin for verifying signatures, which would ideally depend only on the Go stdlib. Cosign...
#### Summary Removes the `sget` command for now, while the team refines the vision for the "sget" idea, how it will be manifested in code, and how we'll distribute it...
**Description** Technically it's easy to use spin up a local python server if you have a local TUF root you want to use, but tests also then have to spin...
## Abstract Slightly the same with `verify-dockerfile,` but for Kubernetes Resources, responsible for creating containers such as `Deployments,` `ReplicaSets,` `DaemonSets.` etc. The same logic we used to check `ImageRef`s in...
**Description** When providing [OIDC options](https://github.com/sigstore/cosign/blob/de85b7ebb702cac3f21fa7087418556c3f0d85f4/cmd/cosign/cli/options/oidc.go#L32-L35), if there is a failure in providing the options (e.g. bad parsing of a secret file, invalid issuer, etc), then fail the command. Do not...
Original title: `sign-blob` seems to ignore `--verbose` ``` $ cosign version 2>&1 | grep GitVersion GitVersion: v1.6.0 $ export COSIGN_EXPERIMENTAL=1 $ IMAGE_DIGEST=$(cosign upload blob -f /dev/null ttl.sh/$(openssl rand -hex 8):5m)...
