cosign
https://github.com/sigstore/cosign
Go
Container Signing
Triage Issues!
When you volunteer to triage issues, you'll receive an email each day with a link to an open issue that needs help in this project. You'll also receive instructions on how to triage issues.
Triage Docs!
Receive a documented method or class from your favorite GitHub repos in your inbox every day. If you're really pro, receive undocumented methods or classes and supercharge your commit history.
Go not yet supported2 Subscribers
Add a CodeTriage badge to cosign
Help out
- Issues
- Keep track of Rekor tree state (just like rekor-cli does)
- Provenance attestation does not contain subjects for each tag created.
- cmd/tlog: ability to fetch all UUIDs by providing image reference
- cosign download sbom from ghcr.io throw Error: MANIFEST_UNKNOWN: manifest unknown
- Breaking Change: image sign annotations from `dev.cosignproject.cosign` to `dev.sigstore.cosign`
- Allow for alternate registry API implementations
- Local registry times out unless --allow_insecure_registry is used
- Improve handling of tlog interaction when `--upload=false`
- Signing should reject annotations that conflict with reserved fields
- add generic webhook impl for verifying attestation integrity in addition to CUE or Rego policies
- Docs
- Go not yet supported