Enable javascript in your browser for better experience. Need to know to enable it? Go here.
Published : Oct 27, 2021
This blip is not on the current edition of the Radar. If it was on one of the last few editions, it is likely that it is still relevant. If the blip is older, it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar. Understand more
Oct 2021
Assess ?

Cosign is a container signing and verification tool. Part of Sigstore — a project under the Cloud Native Computing Foundation (CNCF) umbrella aimed at simplifying software signing and transparency — Cosign supports not only Docker and Open Container Initiative (OCI) images but also other artifacts that can be stored in a container registry. We previously talked about Docker Notary, which also operates in this space; Notary v1, however, has some disadvantages: it's not registry native and needs a separate Notary server. Cosign avoids this problem and stores the signatures in the registry next to an image. It currently has integrations with GitHub actions and Kubernetes using a Webhook with further integrations in the pipeline. We've used Cosign in some of our projects and it looks quite promising.

Download the PDF



English | Español | Português | 中文

Sign up for the Technology Radar newsletter


Subscribe now

Visit our archive to read previous volumes