SIGSTORE
Signature open-source d'artifacts via OIDC keyless.
Définition
Sigstore compose : Cosign (CLI signing), Fulcio (CA short-lived certs), Rekor (transparency log immutable), Gitsign (commit signing). OIDC providers : Google, GitHub, Microsoft, Sigstore. Used by Kubernetes, npm registry, Docker Hub trust delegation. License Apache 2.0.
Origine
Lancé par Red Hat, Google, Linux Foundation en 2021.
Exemple en contexte
cosign sign --identity-token $TOKEN gcr.io/myapp:v1 signe image via OIDC GitHub.
Termes liés
- Cosign — CLI principal.