Image Signing With Cosign

Sign images at build; verify at deploy.

Sign

cosign sign image:tag.

Stored alongside image in registry.

Verify

Admission controller verifies signature.

Reject unsigned at deploy.

Trust chain

Public key in cluster. Build CI signs with private.

End-to-end trust.