Is Sigstore Susceptible to Psychic Signatures? Sources Say: Sounds Suspect
Does the psychic signature vulnerability also affect Sigstore, a code artifact signing and verification project? The short answer is NO!…
Automatic SBOMs with ko
For those unfamiliar with ko, it “is a simple, fast container image builder for Go applications;” its objective is to enable developers to stop worrying about containers, and focus on their application. The philosophy of ko aligns with our mission at Chainguard: to make the software supply chain secure by…
Keyless Signing with Tekton on Amazon EKS
In this post, we’ll walk you through setting up Tekton Chains on Amazon EKS to improve the security of your Tekton pipelines. Tekton Chains simplifies signing software via “keyless signing”, which means that users don’t have to manage private keys or be responsible for distributing public keys. Instead,…
Keyless Signing with Tekton on AKS
In a previous blog article, we illustrated how simple it was to use Sigstore on Amazon EKS to perform keyless signing. Keyless signing is now also available on Azure AKS thanks to the recent addition of OpenID Issuer support. In this post, we will sign images created on an AKS…
How To Verify Cosigned Container Images In Amazon ECS
In a previous blog post, we demonstrated how to sign container images with sigstore’s Cosign via AWS CodePipeline. Now it’s time to deploy that image, but how do we verify it is signed? In Kubernetes, we would use an admission controller to validate that the image is signed.…
Cosign Image Signing In AWS CodePipeline
In this post we are going to show you how to integrate sigstore’s Cosign with AWS CodePipeline.…
Zero-friction “keyless signing” with Github Actions
In this post, you will learn how to use Project Sigstore’s “keyless signing” to sign images and other artifacts from your Github Actions workflows.…
Busting 5 Sigstore Myths
In this post we’ll clarify 5 common misconceptions we’ve heard about the Sigstore project.…