Software, services, and proposals I’m tracking for supply chain security.

Signing Tools

certstrap — Certificate signing and key management

https://github.com/square/certstrap

cosign — Container Signing

https://github.com/sigstore/cosign

Simple tool for signing and verifying containers. Can also be used for other types of data.

Basic Usage:

# Generate a key pair
$ cosign generate-key-pair

# Sign an image
$ cosign sign --key cosign.key <image>

# Verify a signature
$ cosign verify --key cosign.pub <image>

rekor — Immutable signing ledger

https://github.com/sigstore/rekor

Architecture