_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
Language
CS EN
Let's talk

Image Signing — Cosign a Sigstore

19. 11. 2025 1 min read intermediate

Podepsaný image zaručuje, že pochází z vašeho buildu a nebyl modifikován. Cosign + Sigstore to řeší elegantně.

Cosign — podpis a ověření

Podpis (keyless — OIDC identity)

cosign sign –yes ghcr.io/myorg/myapp:v1.0

Ověření

cosign verify ghcr.io/myorg/myapp:v1.0

S klíčem

cosign generate-key-pair cosign sign –key cosign.key ghcr.io/myorg/myapp:v1.0 cosign verify –key cosign.pub ghcr.io/myorg/myapp:v1.0

Kubernetes admission — Kyverno

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: verify-images spec: rules: - name: verify-cosign match: resources: kinds: [Pod] verifyImages: - imageReferences: [“ghcr.io/myorg/*“] attestors: - entries: - keyless: subject: “*@myorg.com” issuer: “https://accounts.google.com”

Key Takeaway

Podepisujte images v CI/CD, ověřujte v Kubernetes (Kyverno/OPA). Keyless signing se Sigstore.

securitycosignsigstorecontainers
Share:

CORE SYSTEMS tým

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Všechny články

Další know-how

Container Security — Best Practices for Production

Practical best practices for securing containers in production. Image scanning, runtime security, least privilege,...

Supply Chain Security — SLSA, Sigstore, and Software Provenance

Securing the software supply chain. The SLSA framework, Sigstore for artifact signing, and SBOM in CI/CD.

Docker Security Checklist

Docker security checklist — image scanning, non-root, read-only filesystem.