-
### Your feature request related to a problem? Please describe.
Not a problem, is a feature request.
The idea is to sign the release artifacts using [cosign](https://github.com/sigstore/cosign) wh…
-
We (w/@dentrax) have added signing and verifying containers images by using cosign under the hood to nerdctl, please [see](https://github.com/containerd/nerdctl/pull/556). We call the cosign binary to…
-
**Description**
I'm using HashiVault Corp for secure storing signing keys.
Then i want to use image verify in K8S using kyverno-plugin (1.12). In Kyverno-policy i want to use Public Key (not integ…
-
**Motivation**
We have signatures with cosign, and our next step is to add provenance attestations to images and artifacts as well, in the same way we have in Falcoctl
cc @cpanato @developer-guy
-
**Is your feature request related to a problem? Please describe.**
Sign our Helm release using Cosign as it now shows if it is verified on Artifacthub.
Found out by @JimBugwadia via this [tweet]…
-
Architect a "Verified Reproducible Build Attestation".
Some useful links:
- https://www.cisa.gov/sites/default/files/2024-03/CISA_RSAA_User_Guide_18_March_2024.pdf
- https://cyclonedx.org/capabil…
-
It would be very helpful to give folks some context on the decision to move scanning to its own repository.
-
For highly regulated clients there's an interest in the DB image being signed. This could be done on GHCR with cosign.
-
## Feature Request
### Description
SBOMs are an important way to prove what images and programs are made up of.
They can be generated with
- https://github.com/moby/buildkit/blob/master/docs…
-
Original title: `sign-blob` seems to ignore `--verbose`
```
$ cosign version 2>&1 | grep GitVersion
GitVersion: v1.6.0
$ export COSIGN_EXPERIMENTAL=1
$ IMAGE_DIGEST=$(cosign upload blob -f /…