Key features
- Keyless signing — APAC CI/CD systems sign images with OIDC identity tokens, no long-lived key management
- OCI registry attachment — APAC image signatures stored in registry alongside images, no separate storage
- Sigstore transparency log — APAC signing events recorded in Rekor for public auditability
- SBOM attachment — attach Syft/Grype APAC SBOMs to OCI images for supply chain documentation
- Kyverno integration — Cosign signatures enforced by APAC Kubernetes admission control policies
- Hardware security module support — sign APAC images with keys stored in AWS KMS, GCP KMS, or Azure Key Vault
- Multi-architecture support — sign APAC multi-platform OCI image manifests and attestations
Best for
- APAC DevSecOps and platform engineering teams implementing software supply chain security — Cosign keyless signing with Sigstore provides APAC image signing without long-lived key management, and signature enforcement through Kyverno blocks unsigned images from APAC production
- APAC organisations responding to CISA/APAC cybersecurity agency guidance on AI and container supply chain security requiring image provenance verification and SBOM documentation for APAC software deployments
- APAC regulated industries (FSI, healthcare) where APAC regulators or auditors require evidence of software component provenance — Cosign SBOM attachments and Rekor transparency log provide APAC supply chain audit artifacts
- APAC CI/CD platform engineering teams using GitHub Actions or GitLab CI who want keyless container image signing integrated directly into APAC build pipelines without managing PKI key infrastructure
Limitations to know
- ! Sigstore public infrastructure dependency — Cosign keyless signing uses Sigstore's public Fulcio CA and Rekor transparency log; APAC organisations with data sovereignty requirements or air-gapped environments must deploy self-hosted Sigstore infrastructure (Fulcio, Rekor) at significant additional complexity
- ! Key management for non-OIDC environments — APAC CI/CD systems without OIDC support (on-premise Jenkins without OIDC) require long-lived key management for Cosign signing; APAC teams should evaluate whether their CI/CD environment supports OIDC before choosing keyless signing
- ! Verification infrastructure — Cosign signature enforcement requires admission controllers (Kyverno, Connaisseur) to be deployed and configured in APAC Kubernetes clusters; the signing and verification components must be deployed and maintained together for end-to-end APAC supply chain security
- ! Signature lifecycle management — Cosign signatures stored in OCI registries as artifacts require garbage collection policies; APAC platform teams must account for signature artifact storage growth as APAC images are rebuilt and new signature artifacts accumulate in APAC registries
About Cosign
Cosign is a CNCF open-source tool from the Sigstore project that enables APAC DevSecOps and platform engineering teams to cryptographically sign OCI container images after building them and verify those signatures before deploying to APAC Kubernetes production — implementing the software supply chain security principle that only container images with verifiable provenance (built by APAC CI/CD systems from approved source code, not tampered with after build) should run in APAC production infrastructure.
Cosign's keyless signing model — where APAC CI/CD systems authenticate to Sigstore's Fulcio certificate authority using short-lived OIDC tokens from GitHub Actions, GitLab CI, Google Cloud, or AWS (without storing long-lived signing keys in APAC CI/CD systems) and Fulcio issues a short-lived X.509 certificate tied to the APAC CI/CD system's OIDC identity, which Cosign uses to sign the APAC container image and records in Sigstore's Rekor transparency log — enables APAC platform engineering teams to implement container image signing without the operational burden of managing and rotating long-lived GPG or PKI keys in APAC CI/CD infrastructure.
Cosign's OCI registry signature storage model — where APAC container image signatures are stored in the same OCI registry as the signed image, attached to the image manifest as an OCI artifact with a predictable tag scheme (`sha256-<digest>.sig`) — enables APAC CI/CD pipelines to verify image signatures by pulling signature artifacts from the same APAC registry as the image without separate signature storage infrastructure, and enables [Skopeo](/ai-tools/skopeo) to copy signatures alongside images during APAC registry promotion.
Cosign's SBOM attachment model — where APAC DevSecOps teams generate Software Bill of Materials (SBOM) documents using tools like Syft and attach them to container images in OCI registries using `cosign attach sbom` — enables APAC platform engineering teams to store APAC component dependency manifests alongside container images for vulnerability scanning and APAC software composition analysis at deployment time without separate SBOM storage.
Cosign's verification integration — where APAC Kubernetes admission controllers (Kyverno image verification policies, Connaisseur, Policy Controller) verify Cosign signatures on container images before allowing APAC pod admission — enables APAC platform engineering teams to enforce that only signed images from approved APAC build pipelines can run in APAC production Kubernetes clusters, implementing software supply chain security as a Kubernetes admission control policy rather than an advisory check.
Beyond this tool
Where this category meets practice depth.
A tool only matters in context. Browse the service pillars that operationalise it, the industries where it ships, and the Asian markets where AIMenta runs adoption programs.
Other service pillars
By industry