Image signing with Cosign vs trusting a digest
WHAT IT TESTS: integrity vs authenticity. OUTLINE: a digest proves content has not changed but not who produced it; Cosign cryptographically signs the digest so a verified key proves provenance, and policies enforce it at admission.
WHAT IT TESTS: the difference between content integrity and verified provenance. ANSWER OUTLINE: a SHA256 digest is self-referential; it guarantees the bytes match that hash but says nothing about who built it, and an attacker who substitutes an image just gives you its digest. Cosign signs the digest with a private key, storing the signature, so verification with the trusted public key or keyless identity proves who attested to it. Admission policies then reject unsigned images. RED FLAG: equating a digest with authenticity.
Read the original → interview
- #containers
- #cosign
- #supply-chain
- #security
- #signing
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.