It’s happening! Cosign’s 1.0 release is slated for July 28. If you were curious before but were hesitant about a pre-release project, now’s a good time to try it out and leave some comments.
For the initial release we plan on supporting:
* Signing images with KMS (GCP, AWS, Azure, Vault), YubiKeys, and locally stored keys
* Verifying image signatures using the same, plus public keys specified by URL
* Verifying images in Dockerfiles
* Uploading & signing arbitrary blobs (and 📄✍🏻👨🏻🦳 🇺🇸SBOMs🦅)
* Stable APIs in pkg/ for integrating Cosign into build systems and policy engines
Additionally, we’re shipping with some exciting endgame features that are available on an experimental/unstable basis: * Fulcio root CA and Rekor transparency log integration * “Keyless” signing tied to OIDC identity
We’re seeking community feedback on the current UX, signature spec, feature requests and ecosystem integrations, and any showstopping issues you may encounter. Please play around with cosign, and give us your thoughts on GitHub or Slack!