Container Signing, Verification and Storage in an OCI registry

Cosign is a tool for container image signing and verifying maintained under the Project Sigstore in collaboration with the Linux Foundation. Among other features, Cosign supports KMS signing, built-in binary transparency, and timestamping service with Rekor and Kubernetes policy enforcement.

Code:

https://docs.sigstore.dev/cosign/attestation#validate-in-toto-attestations
https://github.com/sigstore/cosign-gatekeeper-provider

Category: security
Layer: application