Image Signing — Cosign and Sigstore

A signed image guarantees it comes from your build and has not been modified. Cosign + Sigstore solve this elegantly.

Cosign — signing and verification¶

Signing (keyless — OIDC identity)¶

cosign sign –yes ghcr.io/myorg/myapp:v1.0

Verification¶

cosign verify ghcr.io/myorg/myapp:v1.0

With a key¶

cosign generate-key-pair cosign sign –key cosign.key ghcr.io/myorg/myapp:v1.0 cosign verify –key cosign.pub ghcr.io/myorg/myapp:v1.0

Kubernetes admission — Kyverno¶

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: verify-images spec: rules: - name: verify-cosign match: resources: kinds: [Pod] verifyImages: - imageReferences: [“ghcr.io/myorg/*“] attestors: - entries: - keyless: subject: “*@myorg.com” issuer: “https://accounts.google.com”

Key Takeaway¶

Sign images in CI/CD, verify in Kubernetes (Kyverno/OPA). Keyless signing with Sigstore.

securitycosignsigstorecontainers

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

Image Signing — Cosign and Sigstore

Cosign — signing and verification¶

Signing (keyless — OIDC identity)¶

Verification¶

With a key¶

Kubernetes admission — Kyverno¶

Key Takeaway¶

CORE SYSTEMS team

More know-how

Docker Security Checklist

Container Security — Trivy, Falco

Container Security — Best Practices for Production

Supply Chain Security — SLSA, Sigstore, and Software Provenance