The Sigstore Project
The Sigstore Project
Standard for signing, verifying and protecting software
Transforms key management problem into identity problem
Keyless Signature Flow
cosign creates a temporary key pair and requests a certificate from fulcio .
The clients gets redirected to authenticate , fulcio issues a short-lived certificate based on the authentication data.
cosign updates the transparency log rekor
After signing, the key pair as well as the certificate are deleted .
Signature verification
Verification still requires trust
Cosign verifies if a valid signature is present
Tell cosign what metadata to accept (who has authenticated where)
Integration
Kyverno has support builtin
Attention
Bootstrapping the tooling is important
Check the supply chain of required tools
Demo
Sign a container image
Keyless sign of a container image
Verify the signature of a container image