Google has launched cosign, a new open-source platform that simplifies the process of signing and verifying container photos.
The goal of cosign, which was created in partnership with the Linux Foundation’s sigstore project, is to “make signatures invisible infrastructure,” according to the business.
Google claims that the open source tool has been used to sign all of its distroless files, and that users of distroless (images that only contain the appropriate application and its dependencies) may easily verify if they are using the correct base picture.
The Internet behemoth claims to have incorporated cosign into the distroless CI scheme, making distroless signing yet another step in the Cloud Create job responsible for image development.
“To sign any distroless file, this extra step uses the cosign container image and a key pair stored in GCP KMS. Users can now verify that the distroless image they’re running was created in the correct CI setting, thanks to this additional signing step,” Google explains.
Cosign supports its own Public Key Infrastructure (PKI), hardware and KMS signing, Google’s free OIDC PKI (Fulcio), and a built-in binary transparency and timestamping programme, and can be run as a CLI tool or as a picture (Rekor).
Kubernetes, to which sigstore maintainers contribute, is already using the latest tool to validate images, and Kubernetes SIG Release is aiming to build “a consumable, inspectable, and stable supply chain for the project,” according to Google. In the coming months, Google expects to bring more sigstore innovations to distroless.
