Container Signing, Verification and Storage in an OCI registry

Cosign is a tool for container image signing and verifying maintained under the Project Sigstore in collaboration with the Linux Foundation. Among other features, Cosign supports KMS signing, built-in binary transparency, and timestamping service with Rekor and Kubernetes policy enforcement.

• https://docs.sigstore.dev/cosign/attestation#validate-in-toto-attestations
• https://github.com/sigstore/cosign-gatekeeper-provider

• Cosign in the OPA Ecosystem
  • github.com/sigstore/cosign

• Sigstore in the OPA Ecosystem
  • sigstore.dev/