https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/Recent content in Cosign onHugo -- gohugo.ioen-USMon, 29 Jul 2024 15:12:18 +0000https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/an-introduction-to-cosign/Tue, 19 Jul 2022 08:49:31 +0000https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/an-introduction-to-cosign/An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course. Cosign supports software artifact signing, verification, and storage in an OCI (Open Container Initiative) registry. While Cosign was developed with containers and container-related artifacts in mind, it can also be used for open source software packages and other file types. Cosign can therefore be used to sign blobs (binary large objects), files like READMEs, SBOMs (software bills of materials), Kubernetes Helm Charts, Tekton bundles (an OCI artifact containing Tekton CI/CD resources like tasks), and more.https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-install-cosign/Wed, 13 Jul 2022 08:49:31 +0000https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-install-cosign/An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course. Cosign supports software artifact signing, verification, and storage in an OCI (Open Container Initiative) registry. By signing software, you can authenticate that you are who you say you are, which can in turn enable a trust root so that developers and consumers who leverage your software can verify that you created the software artifact that you have said you’ve created.https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-sign-a-container-with-cosign/Wed, 13 Jul 2022 13:26:54 +0100https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-sign-a-container-with-cosign/An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course. Cosign is a tool you can use to sign software artifacts, which in turn allows you to verify that you are who you say you are, instilling trust across the software ecosystem. Signing software also allows people to understand the provenance of the software, and prevents tampering. Let’s step through signing a container with Cosign.https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-sign-blobs-with-cosign/Wed, 13 Jul 2022 15:22:20 +0100https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-sign-blobs-with-cosign/An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course. Cosign can sign more than just containers. Blobs, or binary large objects, and standard files can be signed in a similar way. You can publish a blob or other artifact to an OCI (Open Container Initiative) registry with Cosign. This tutorial assumes you have a Cosign key pair set up, which you can achieve by following our Introduction to Cosign guide.https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/Wed, 13 Jul 2022 15:22:20 +0100https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course. Cosign, developed as part of the Sigstore project, is a command line utility for signing, verifying, storing, and retrieving software artifacts through interface with an OCI (Open Container Initiative) registry. Cosign can be used to sign attestations, or a verifiable assertion or statement about a software artifact. What is an Attestation? An attestation is a cryptographically verifiable statement about a software artifact.https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-verify-file-signatures-with-cosign/Wed, 21 Dec 2022 15:22:20 +0100https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/how-to-verify-file-signatures-with-cosign/Cosign can be used to verify binary artifacts (“blobs”) using provided signatures as long as they are published to an OCI registry. In this tutorial, we’ll verify a binary artifact — in this case, a release of apko, a command-line tool for building container images using a declarative language based on YAML. The methods in this tutorial apply to any blob file Cosign has signed with a keyless signature. This tutorial assumes you have Cosign installed.https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/cosign-manual-way/Wed, 29 Mar 2023 08:49:31 +0000https://deploy-preview-3174--ornate-narwhal-088216.netlify.app/open-source/sigstore/cosign/cosign-manual-way/Note: This tutorial is no longer actively maintained and may reference outdated versions of Cosign and related tools. While the underlying cryptographic concepts remain relevant, we recommend consulting the current Cosign documentation for up-to-date usage guidance. This content is preserved for educational purposes and may still provide value for those interested in understanding the mechanics of software signing. When I first used Cosign, the software artifact signing CLI from the Sigstore project, I was amazed at how painless signing and verifying could be.