ediverse Explorer la plateforme

À la une PEPPOL BIS Billing 3.0 L’obligation européenne d’e-invoicing arrive : France sept 2026, Belgique janv 2026, Allemagne 2025.

SIGSTORE-COSIGN

Sigstore Cosign keyless OIDC container signing.

Définition

Cosign workflow keyless : (1) Build CI workflow obtains OIDC token (GitHub Actions workflow OIDC token via id-token: write permission, GoogleCloudBuild workload identity, etc.). (2) Cosign sign command : envoie OIDC token + signature ephemeral key vers Fulcio Certificate Authority Sigstore. (3) Fulcio CA issues short-lived X509 certificate (10-minute validity) binding ephemeral key to OIDC identity (e.g., 'github-actions://kubernetes/kubernetes@main'). (4) Cosign signs OCI image digest via ephemeral key + certificate. (5) Cosign uploads signature + certificate to Rekor transparency log (immutable append-only Sigstore-hosted Merkle tree). (6) Signature + certificate attached to OCI image via OCI registry referrers API. Verification : cosign verify command queries Rekor for signature + verifies via Fulcio root CA cert + verifies OIDC issuer matches expected identity. Tools : cosign CLI, sigstore-go library, sigstore-python, cosign Helm chart, Kyverno admission controller verify, Kubernetes admission webhooks integration. Key-based legacy mode (cosign generate-key-pair) still supported.

Origine

Sigstore announce mars 2021 par Linux Foundation + Red Hat + Google + Purdue University ; Cosign initial release 2021 ; Sigstore CNCF Sandbox 2022 + Incubating 2023 ; ~90% supply chain signing adoption OSS 2024.

Exemple en contexte

Kubernetes release v1.30.0 build via Prow CI : cosign sign --identity-token (GitHub OIDC) container images kubernetes/kube-apiserver:v1.30.0 keyless, Fulcio issues cert binding 'github-actions://kubernetes-release-bot@main', Rekor log entry uuid; end users verify cosign verify --certificate-identity 'github-actions://...' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'.

Termes liés

Dernière mise à jour: 16 mai 2026