Signing your container images with SignServer and Cosign helps you secure your software supply chain.
A signed container image allows you to verify where an image came from, to ensure it was not tampered with and that only trusted images are pulled into your systems. A container signature identifies and authenticates who signed the image and carries a signed payload in a JSON file that identifies the signed image.
How to Sign Containers with Cosign and SignServer
Signed container images can be created with SignServer together with Cosign. Cosign is a tool for container signing and verification from the Sigstore project of the Linux foundation. It allows storing signatures alongside an image or artifact in the Open Container Initiative (OCI) registry. For more information, see the Cosign documentation.
To sign a container image, you first use Cosign to generate a payload containing the digest of the container image. Then, use SignServer to sign the payload and finally attach the signed payload to the container image in the registry using Cosign.
Cosign can later be used to verify that the digest of the signature payload matches the digest of the container image that the signature is attached to.
Why use SignServer for Container Signing
SignServer is open source-based and allows you to sign not only containers but also more than 20 other signature formats for code signing, document signing, and timestamping. Additionally, SignServer supports HSMs from multiple vendors. To store signature keys securely and compliantly, an HSM is always recommended.
With SignServer, all your signature services are managed in one place and security is enforced consistently and cost-effectively. Furthermore, the platform can also be integrated with your DevOps infrastructure for process automation.