<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Cosign on Software Factory</title><link>/tags/cosign/</link><description>Recent content in Cosign on Software Factory</description><generator>Hugo</generator><language>en</language><atom:link href="/tags/cosign/index.xml" rel="self" type="application/rss+xml"/><item><title>Cosign</title><link>/use/tools/cosign/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/cosign/</guid><description>&lt;hr&gt;
&lt;p&gt;&lt;img src="/use/tools/cosign/img/cosign.png" alt="Cosign" title="cosign"&gt;&lt;/p&gt;
&lt;p&gt;Sigstore - Cosign - Cryptographic Signing tool&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="overview"&gt;Overview&lt;a class="td-heading-self-link" href="#overview" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;h3 id="what-is-code-signing"&gt;What is Code Signing?&lt;a class="td-heading-self-link" href="#what-is-code-signing" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h3&gt;
&lt;p&gt;It&amp;rsquo;s a feature offered as a NextGen CICD step that can sign and verify software artifacts,
such as container images and blobs (including extra artifacts like SBOMs).&lt;/p&gt;
&lt;p&gt;Software Factory is offering the way to integrate code signing into your CI/CD pipeline
but it is not offering a key management or PKI service.
At this time there is no solution offered at Thales level for the PKI service
or encryption key management lifecycle so it is the project&amp;rsquo;s responsability to choose these tools.&lt;/p&gt;</description></item></channel></rss>