https://vo.rs/tags/sigstore/Sigstore - Tag - vo.rsHugo -- gohugo.ioenThis work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.Fri, 17 Oct 2025 14:00:00 +0000https://vo.rs/story/sigstore-and-cosign-verifying-container-images-before-they-run/<p>A container tag is a lie you&rsquo;ve agreed to believe. <code>nginx:latest</code> today and <code>nginx:latest</code> next week can be entirely different bytes, and a tag tells you nothing about who built the image or whether it&rsquo;s been swapped underneath you. The whole modern supply-chain panic — compromised build pipelines, typosquatted images, dependency confusion — comes down to that one weak link: we run images we can&rsquo;t actually verify. Sigstore, and its CLI <code>cosign</code>, is the most practical fix I&rsquo;ve adopted, mostly because it finally killed the part of signing that everyone hated: key management.</p>Fri, 17 Oct 2025 14:00:00 +0000