Skills / Engineering / Cosign & Sigstore Signing

Cosign & Sigstore Signing

Sign and verify container images and artifacts with Cosign and Sigstore for supply chain integrity. Set up keyless signing with OIDC, attach SBOM and provenance attestations, verify signatures in admission controllers, and enforce signed-only deploys in CI/CD.

Cosign, part of the Sigstore project, signs and verifies OCI artifacts to prove where they came from and that they haven't been tampered with. This skill helps you configure keyless (OIDC) signing, attach and verify SBOM/SLSA provenance attestations, enforce signature verification at admission time, and add signing to release pipelines.

security supply-chain sigstore signing provenance

When to use

Use to sign and verify container images and artifacts, set up keyless signing, attach provenance/SBOM attestations, and enforce signed-only deployments.

Examples

Keyless image signing

Sign with OIDC identity

Set up keyless Cosign signing for my container images in GitHub Actions using OIDC

Verify before deploy

Enforce signed artifacts

Add a Cosign verification step so my Kubernetes admission controller only admits signed images

Attach provenance

SLSA-style attestations

Attach an SBOM and SLSA provenance attestation to my image with Cosign and show how to verify it
Added to wishlist