version v7.2.
For up-to-date documentation, see the
latest version.
Cosign
3 minute read

Sigstore - Cosign - Cryptographic Signing tool
Overview
What is Code Signing?
It’s a feature offered as a NextGen CICD step that can sign and verify software artifacts, such as container images and blobs (including extra artifacts like SBOMs).
Software Factory is offering the way to integrate code signing into your CI/CD pipeline but it is not offering a key management or PKI service. At this time there is no solution offered at Thales level for the PKI service or encryption key management lifecycle so it is the project’s responsability to choose these tools.
In the future we would like to offer an integration with such services, once they will exist at Thales level.
For now we support integration with Azure Key Vault but other key managers can be added if it is needed.
The software used for code signing is Cosign utility tool from Sigstore Sigstore is an open source project for improving software supply chain security.
The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more.
NEEDS AND REQUIREMENTS
Why cryptographic signing and why you should use it?
In a landscape of growing software supply chain vulnerability, unsigned software is at risk for several attack vectors, such as:
- Typosquatting packages with similar names
- Compromised site where package is hosted
- Tampering after being published
Digital signatures are a way to verify the authenticity of a software artifact.
Software consumers can trace software back to the source to know who created the artifact and that it has not been altered or tampered with after it was signed.
For more information about Sigstore, see Why Cryptographic Signing .
LIST OF FEATURES
| Feature Name | Level of availability (EA/GA) | Description |
|---|---|---|
| Sign an artifact with a generated keypair | EA | Sign/Verify with Cosign generated keypairs |
| Sign an artifact with your own keypair | EA | Sign/Verify with your own keypair stored in Azure Key Vault |
Note: Cosign supports RSA, ECDSA, and ED25519 keys. For RSA, Cosign only supports RSA PKCS#1.5 padded keys.
Get Started
After having access to Software Factory, you can use the NextGen CICD Step through the GUI and add steps in your pipeline to sign your artifacts. See the Cosign pipeline where signing steps are implemented.
How to
How to subscribe?
via Software-factory > get-access
Or for Inner Source users, Join Thales Inner Source community
Fill in the form
Send the request
What is the pricing ?
Code Signing is included in the DevSecOps package .
Service level and operations information
Service Level
Please see service-level-and-operation-information
DRP (Disaster Recovery Plan)
Included in GitLab.
Service Monitoring
Included in GitLab.
Service Maintenance
RACI
- Responsible, Accountable, Consulted, Informed
| Action | Description | Factory Support | Software Solution | Business admin | Project team admin | Project team member | Request * |
|---|---|---|---|---|---|---|---|
| Use of NextGen CICD Code Signing step | Sign and verify container images and files | A | R | N/A | |||
| Management of cryptographic keys | The generation, distribution and destruction of keys that will be used to sign artefacts | R/A | R | N/A | |||
| Key storage and access | The safe storage and access to the keys for the NextGen CICD Code Signing step | R/A | R | N/A |