Keyless Signing with Sigstore Cosign
Signing OCI charts without managing GPG keys.
The Trouble With GPG Keys
Classic provenance means managing long-lived GPG keys: storing them, rotating them, distributing public keys. Sigstore offers a lighter path.
Meet Cosign
Cosign, part of the Sigstore project, signs container images and OCI artifacts. Helm charts pushed to OCI registries are exactly such artifacts.
All lessons in this course
- What a Provenance File Guarantees
- Signing a Chart with helm package --sign
- Verifying with helm verify and --verify
- Keyless Signing with Sigstore Cosign