bash 5 lines · 1 tab

Signed release artifacts with cosign for software supply chain trust

Kai Nakamura Apr 2026
1 tab
#!/usr/bin/env bash
set -euo pipefail

cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/example/codesnips:${GITHUB_SHA}
cosign verify --key env://COSIGN_PUBLIC_KEY ghcr.io/example/codesnips:${GITHUB_SHA}
1 file · bash Explain with highlit

Artifact signing gives downstream systems something concrete to verify before deployment. I use cosign because it keeps container and provenance signing practical in CI. Supply chain controls only matter if verification is automated where release decisions happen.

Share this code

Here's the card — post it anywhere.

Signed release artifacts with cosign for software supply chain trust — share card
Link copied