Cosign & Sigstore Signing
Sign and verify container images and artifacts with Cosign and Sigstore for supply chain integrity. Set up keyless signing with OIDC, attach SBOM and provenance attestations, verify signatures in admission controllers, and enforce signed-only deploys in CI/CD.
Cosign, part of the Sigstore project, signs and verifies OCI artifacts to prove where they came from and that they haven't been tampered with. This skill helps you configure keyless (OIDC) signing, attach and verify SBOM/SLSA provenance attestations, enforce signature verification at admission time, and add signing to release pipelines.
When to use
Use to sign and verify container images and artifacts, set up keyless signing, attach provenance/SBOM attestations, and enforce signed-only deployments.
Examples
Keyless image signing
Sign with OIDC identity
Set up keyless Cosign signing for my container images in GitHub Actions using OIDC
Verify before deploy
Enforce signed artifacts
Add a Cosign verification step so my Kubernetes admission controller only admits signed images
Attach provenance
SLSA-style attestations
Attach an SBOM and SLSA provenance attestation to my image with Cosign and show how to verify it