The Sigstore Project

The Sigstore Project

Standard for signing, verifying and protecting software

Initiated by chainguard

Transforms key management problem into identity problem

Keyless Signature Flow

cosign creates a temporary key pair and requests a certificate from fulcio .

The clients gets redirected to authenticate , fulcio issues a short-lived certificate based on the authentication data.

cosign updates the transparency log rekor

After signing, the key pair as well as the certificate are deleted .

Signature verification

Verification still requires trust

Cosign verifies if a valid signature is present

Tell cosign what metadata to accept (who has authenticated where)


Kyverno has support builtin


Bootstrapping the tooling is important

Check the supply chain of required tools


Sign a container image

Keyless sign of a container image

Verify the signature of a container image