Technology Radar
Published : Oct 27, 2021
NOT ON THE CURRENT EDITION
This blip is not on the current edition of the Radar. If it was on one of the last few editions, it is likely that it is still relevant. If the blip is older, it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar.
Understand more
Oct 2021
Assess
Sigstore 是云原生计算基金会(Cloud Native Computing Foundation,CNCF)旗下的项目,旨在简化软件签名和透明度。其中的 Cosign 用于容器签名及验证。Cosign 不仅支持 Docker 和开放容器计划(Open Container Initiative,OCI)镜像,还支持可以存储在容器注册表中的其他类型镜像。技术雷达介绍过功能类似的 Docker Notary。但 Notary v1 的问题在于需要维护单独的 Notary 服务器,而不能原生集成在容器注册表中。Cosign 将签名与镜像一起存储在注册表中,因此不存在这个问题。目前 Cosign 可以通过 Webhook 与 GitHub actions 及 Kubernetes 集成,并可以进一步集成在流水线中。我们已经在一些项目中使用了 Cosign,效果不错。
