cosign
Safeguard articles tagged "cosign" — guides, analysis, and best practices for software supply chain and application security.
32 articles
Sigstore vs. Notary v2 vs. Docker Content Trust: signing containers in 2026
Docker retires Content Trust on December 8, 2026, while fewer than 0.05% of Hub pulls ever used it — here's how Sigstore and Notary v2 actually replaced it.
Image Signing with Cosign and Sigstore
A container image tag proves nothing about who built the image or whether it was tampered with. Cosign and Sigstore fix that with cryptographic signatures and a public transparency log — here is how to sign, verify, and enforce.
What Is Sigstore?
Sigstore is an open-source project for signing and verifying software without managing long-lived keys. Here's how Cosign, Fulcio, and Rekor make keyless signing work.
Securing Container Registries: From Push to Pull
Your registry is the single point every image passes through — and a favorite target for attackers who want to poison many deployments at once. Here is how to lock it down end to end.
Signing and verifying container images with Sigstore/cosign
How cosign and Sigstore replace long-lived signing keys with short-lived, identity-based certificates and a public transparency log for containers.
Container image signing and verification
Scanning tells you what's inside a container image; signing proves where it came from. Here's how signature verification closes the gap that CVE scanners like Trivy leave open.
Sigstore Policy Controller v0.15: TUF Delegation and Admission Posture
Policy Controller v0.15 ships sigstore-go's delegation-aware TUF client, a monthly cadence, and tighter integration with cosign 3.x. We benchmarked admission on a 400-node cluster.
Sigstore, Cosign, and keyless container image signing
How Sigstore's Fulcio and Rekor make Cosign keyless container image signing possible, why Chainguard built its product around it, and where the real gaps still are.
How to Sign Container Images with Cosign in Production
Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.
Cosign container signing
What is Cosign? A precise look at how this Sigstore tool signs and verifies container images, keyless signing, and how it compares to Notary v2.
Cosign Keyless Signing Workflows in 2026
How keyless signing has matured: OIDC identities, transparency log dependencies, attestation patterns, and the operational details teams still get wrong.
Cosign v3.0 Migration Guide for Production Teams
Sigstore Cosign v3.0 flips four behaviours to defaults: bundle format, trusted root, signing config, and statement-based attestations. Here's a clean upgrade plan.