Signed release artifacts with cosign for software supply chain trust

4341 views

                  #!/usr/bin/env bash
set -euo pipefail

cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/example/codesnips:${GITHUB_SHA}
cosign verify --key env://COSIGN_PUBLIC_KEY ghcr.io/example/codesnips:${GITHUB_SHA}

Artifact signing gives downstream systems something concrete to verify before deployment. I use cosign because it keeps container and provenance signing practical in CI. Supply chain controls only matter if verification is automated where release decisions happen.

Kai Nakamura

More from Kai Nakamura

Signed release artifacts with cosign for software supply chain trust

0 Comments

More from Kai Nakamura