Safeguard
Tag

cosign

Safeguard articles tagged "cosign" — guides, analysis, and best practices for software supply chain and application security.

32 articles

Container Security

Sigstore vs. Notary v2 vs. Docker Content Trust: signing containers in 2026

Docker retires Content Trust on December 8, 2026, while fewer than 0.05% of Hub pulls ever used it — here's how Sigstore and Notary v2 actually replaced it.

Jul 8, 20267 min read
Container Security

Image Signing with Cosign and Sigstore

A container image tag proves nothing about who built the image or whether it was tampered with. Cosign and Sigstore fix that with cryptographic signatures and a public transparency log — here is how to sign, verify, and enforce.

Jul 6, 20265 min read
Concepts

What Is Sigstore?

Sigstore is an open-source project for signing and verifying software without managing long-lived keys. Here's how Cosign, Fulcio, and Rekor make keyless signing work.

Jul 5, 20266 min read
Container Security

Securing Container Registries: From Push to Pull

Your registry is the single point every image passes through — and a favorite target for attackers who want to poison many deployments at once. Here is how to lock it down end to end.

Jul 4, 20265 min read
Container Security

Signing and verifying container images with Sigstore/cosign

How cosign and Sigstore replace long-lived signing keys with short-lived, identity-based certificates and a public transparency log for containers.

Jun 23, 20267 min read
Software Supply Chain Security

Container image signing and verification

Scanning tells you what's inside a container image; signing proves where it came from. Here's how signature verification closes the gap that CVE scanners like Trivy leave open.

Apr 25, 20268 min read
Tools

Sigstore Policy Controller v0.15: TUF Delegation and Admission Posture

Policy Controller v0.15 ships sigstore-go's delegation-aware TUF client, a monthly cadence, and tighter integration with cosign 3.x. We benchmarked admission on a 400-node cluster.

Apr 8, 20267 min read
Software Supply Chain Security

Sigstore, Cosign, and keyless container image signing

How Sigstore's Fulcio and Rekor make Cosign keyless container image signing possible, why Chainguard built its product around it, and where the real gaps still are.

Mar 30, 20267 min read
Best Practices

How to Sign Container Images with Cosign in Production

Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.

Mar 10, 20267 min read
Container Security

Cosign container signing

What is Cosign? A precise look at how this Sigstore tool signs and verifies container images, keyless signing, and how it compares to Notary v2.

Mar 4, 20267 min read
DevSecOps

Cosign Keyless Signing Workflows in 2026

How keyless signing has matured: OIDC identities, transparency log dependencies, attestation patterns, and the operational details teams still get wrong.

Feb 26, 20266 min read
Tools

Cosign v3.0 Migration Guide for Production Teams

Sigstore Cosign v3.0 flips four behaviours to defaults: bundle format, trusted root, signing config, and statement-based attestations. Here's a clean upgrade plan.

Feb 25, 20265 min read
cosign — Safeguard Blog