sigstore-signing

# Skill: Sigstore / cosign Signing > **Expertise:** cosign keyless signing (Sigstore), key-based signing, signature verification, Kyverno/OPA enforcement, Rekor transparency log. ## When to load When setting up image signing in CI, verifying signatures before deploy, or enforcing signature policies in K8s admission. ## Keyless Signing (OIDC — GitHub Actions) ```yaml # .github/workflows/sign.yml jobs: sign: runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write # ← required for keyless OIDC signing steps: - name: Install cosign uses: sigstore/cosign-installer@v3 - name: Build and push id: build uses: docker/build-push-action@v6 with: push: true tags: ghcr.io/myorg/order-service:${{ github.sha }} - name: Sign image (keyless) run: | cosign sign \ --yes \ ghcr.io/myorg/order-service@${{ steps.build.outputs.digest }} # Signature stored in Rekor transparency log # No private key needed — OIDC token proves identity ``` ## Key-Based Signing (when OIDC not available) ```bash # Generate signing key pair (do once; store private key in Vault) cosign generate-key-pair # Creates: cosign.key (private — store in Vault) + cosign.pub (public — commit to repo) # Sign with key cosign sign \ --key cosign.key \ registry.example.com/myorg/order-service:v1.2.3 # Sign in CI using secret cosign...