Signature Verification
Sigstore-based image signing
All Chainguard images are cryptographically signed using Sigstore with keyless signing based on OIDC identity. Signatures are recorded in the public Rekor transparency log, ensuring they cannot be forged or removed. Verification via cosign is natively supported by Kubernetes admission controllers such as Kyverno and OPA Gatekeeper.
Enterprise-grade protection compliant with regulatory requirements and security standards
Fast deployment with minimal resource overhead
Dedicated support from a certified partner
Easy integration with your existing infrastructure
Key features
- Keyless signing with Fulcio CA using OIDC identity without the need for key management
- Registration in the Rekor transparency log with an immutable signature history
- Verification via cosign CLI and Go, Python, and JavaScript libraries
- Native integration with Kyverno, OPA Gatekeeper, and Sigstore Policy Controller
- Timestamp Authority (TSA) ensuring signature validity after key rotation
Business benefits
- Elimination of supply chain attack risk through cryptographic verification
- No key management overhead thanks to keyless architecture
- Automatic blocking of unsigned images at the Kubernetes level
- Public audit trail of all signatures for compliance and forensics
- Compliance with SLSA Level 3 for build provenance and integrity
Why Chainguard?
A leader in software supply chain security offering hardened container images with a minimal attack surface. Chainguard images are built from the ground up with a strong focus on security, regularly updated, and free from known CVEs.
Need Signature Verification in your organization?
As a certified Chainguard partner, we'll help you deploy and configure the solution.