Sigstore / Cosign
Source: content/manual/06-glossary/supplychain/sigstore.md
Definition
Sigstore is a set of tools and services for keyless signing and verifying software artifacts; Cosign is the container image signing/verification CLI.
Why it matters
Enables provenance and tamper detection for OCI images and other artifacts.
Common pitfalls
- Signing without enforcing verification in admission.
- Lost track of signatures/attestations across registries.