In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-09-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/01 Report--
This article will explain in detail how to use the open source tools for Google release verification container. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.
Google recently released a new open source tool called cosign, which makes it easier to manage signatures and verify container images.
Google developed the cosign tool in partnership with the Linux Foundation's sigstore project, and Google says cosign's goal is to "make signatures an infrastructure that is not easy to follow."
Google says that all of its Distroless images have been signed using the open source tool, and that all Distroless users (including only images of the required applications and their dependencies) can easily check to see if they are using the underlying images they need.
Google also said it had integrated cosign into the Distroless CI system, translating Distroless's signature into another step in the Cloud Build effort responsible for building the image.
Google explained: "this extra step uses the cosign container image and the key pair stored in the GCP KMS to sign each Distroless image. With this additional signing step, users can now verify that the Distroless image they are running is built in the correct CI environment."
Cosign can be run as a CLI tool or mirror, supporting its own public key infrastructure (PKI,Public Key Infrastructure), hardware and KMS signing, Google's free OIDC PKI (Fulcio), and the built-in binary transparency and timestamp service (Rekor).
Kubernetes contributed by sigstore maintainers is already validating images with new tools, and Google revealed that Kubernetes SIG Release's goal is to create "a consumable, introspective and secure supply chain" for the project. Google plans to add more sigstore technologies to Distroless in the coming months.
This is the end of this article on "how to use the open source tools for Google release verification container". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
The market share of Chrome browser on the desktop has exceeded 70%, and users are complaining about
The world's first 2nm mobile chip: Samsung Exynos 2600 is ready for mass production.According to a r
A US federal judge has ruled that Google can keep its Chrome browser, but it will be prohibited from
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
About us Contact us Product review car news thenatureplanet
More Form oMedia: AutoTimes. Bestcoffee. SL News. Jarebook. Coffee Hunters. Sundaily. Modezone. NNB. Coffee. Game News. FrontStreet. GGAMEN
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
