With over 16 million pulls per month, Google’s
Right now, cosign can be run as an image or as a CLI tool. It supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
- Built-in binary transparency and timestamping service (Rekor)
Signing distroless with cosign is just the beginning, and we plan to incorporate other sigstore technologies into distroless to continue to improve it over the next few months. We also can’t wait to integrate sigstore with other critical projects. Stay tuned here for updates! To get started verifying your own distrolesss images, check out the distroless README and to learn more about sigstore, check out sigstore.dev.
Gurupriyan is a Software Engineer and a technology enthusiast, he’s been working on the field for the last 10 years. Currently focusing on mobile app development and IoT.