-
Users can sign images produced with `ko publish` using tools like [`cosign`](https://github.com/sigstore/cosign).
For example:
```
$ cosign sign -key cosign.key $(ko publish ./)
```
`ko res…
-
Is there a way (perhaps using a github action and github pages) that we could preview changes to the docs before merging pull requests?
-
-
RKE2 images will be published to the rancher prime registry and signed with cosign. Additionally, images are to include an SBOM manifest provided by docker buildx.
Build pipelines in the image-buil…
-
**Description**
_Copied from https://sigstore.slack.com/archives/C049ALX6Q83/p1709072587850229_
tl;dr - Sigstore TUF metadata has evolved, but Cosign and Scaffolding are lagging behind. We n…
-
Running `cosign attest ` (almost) concurrently can have the side effect that attestations written to the container registry previously are overridden by later invocations:
1. `cosign attest` no 1 r…
-
Using the "Publish Docker Container By GitHub Actions" Github action configuration to add the cosign tool and perform container signing
`
# Install the cosign tool except on PR
# ht…
-
### Problem Statement
when creating multiple attestations on the same image, one way to distinguish these attestation is to pass the following flag `--attachment-tag-prefix` to cosign.
With this f…
-
When I enabled k8s-image-swapper it turned out that kyverno's image signature verification is failing.
So while k8s-image-swapper works fine for pulling/pushing docker images and mutating their ref…
wosiu updated
3 months ago
-
**Describe the bug**
The distroless image gcr.io/distroless/python3-debian11:debug is not signed with cosign.
**To Reproduce**
I ran this script:
```
#!/bin/bash
GOOGLE_COSIGN_PUB_KEY=goog…