Container Image Signing with Cosign and Sigstore

Signing images was once cryptography heavy lifting. With Sigstore, it is a CI step.

Why image signing matters

Image signing answers ‘was this image built by a process I authorize?’ Without it, you trust whoever pushed.

Supply-chain attacks have made unsigned-images a real risk vector.

Cosign + Sigstore basics

• Cosign signs container images using Sigstore’s keyless flow (OIDC-based; no key management).
• Free to use; integrates with major registries; no infrastructure to operate.

CI integration

CI step: cosign sign --keyless <image>. Done. Logs to Sigstore Rekor (transparency log).

Ten minutes to integrate; signature is permanent and verifiable.

Cluster-side verification

Policy controller (Sigstore policy-controller, Kyverno) blocks unsigned images at the cluster admission webhook.

Trust hierarchy: only images signed by a known issuer (your CI) deploy.

Antipatterns

• Signing without verification. Pure theatre.
• Long-lived keys instead of keyless. Keys to lose; rotation pain.
• No emergency revocation plan. Compromise needs a path.

What to do this week

Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.