The Sigstore Project

Standard for signing, verifying and protecting software

Initiated by chainguard

Transforms key management problem into identity problem

cosign creates a temporary key pair and requests a certificate from fulcio .

The clients gets redirected to authenticate , fulcio issues a short-lived certificate based on the authentication data.

cosign updates the transparency log rekor

After signing, the key pair as well as the certificate are deleted .

</span>

Signature verification

Verification still requires trust

Cosign verifies if a valid signature is present

Tell cosign what metadata to accept (who has authenticated where)

Kyverno has support builtin

Bootstrapping the tooling is important

Check the supply chain of required tools