📯 As one of the fans of the both @GoReleaser and #ko projects, I'm super excited to see that #ko support has been finally landed on #GoReleaser! 🥳
😏 Yep, you heard that right! That means you can build your @OCI_ORG images with #ko while still using #GoReleaser!
✍️ You can even sign the images you built with #ko using #cosign support!
🌟 I'm writing a blog post about that but you can use the following documentation to start learning more about that integration between two ↙️
https://goreleaser.com/customization/ko/

How to sign images and artifacts on GitLab CI

https://docs.gitlab.com/ee/ci/yaml/signing_examples.html

#sigstore #gitlabci #gitlab #cosign #securesoftwaresupplychain

💊Every treatment starts with accepting the diagnosis! Embrace the truth☝️
"You can be the next victim of the Software Supply Chain Attacks" UNLESS...
✍️Sign your software (#cosign)
🔔Do vulnerability scanning (#trivy #grype)
🚨 Protection at runtime (#kyverno #policycontroller)

I've corrected the #cosign signing part in @github Actions starter workflows for @Docker Publish workflow to be able to prevent risks of script injection by using intermediate environment variables, details🧵

1⃣ Here is the PR for you if you want to take a look at the details about the improvement:
https://github.com/actions/starter-workflows/pull/2048/files

2⃣ Also you can have a look at the @github's official documentation to understand the problem better: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

I'm super glad to see that two of the great projects #falcoctl and #paranoia now signed by another awesome project by @sigstore ✍️#cosign and made 💃#SLSA provenance available, thanks to @JamesLaverack and Luca Guerra! 🚀
1️⃣https://github.com/jetstack/paranoia/pull/91/files
2️⃣https://github.com/falcosecurity/falcoctl/pull/286

🚀The long-awaited task of @gitlab OIDC support has been rolled out to staging. You can visit the page for the flag values if you're using #cosign, thanks Hayden Blauzvern for bringing it to our attention! 🥳
@cpanato already created an example🎖️
https://gitlab.com/cpanato/testing-cosign

☝️🛎️I'm glad to announce that the #tracee project by @aquasecteam is signed by #cosign by @sigstore to guarantee that it has not been tampered with by having strong integrity ⛓️🆔
https://github.com/aquasecurity/tracee/pull/2607

1⃣ One of the first packages that I got involved with is #cosign. I'm one of the contributors to the project for a while and learned so much stuff from
@comedordexis
. Now, I'm one of the maintainers of that project in #nixOS!
➡️ nix-env -iA nixpkgs.cosign

This is a really great blog post by the Virtru Platform Engineering team which they talked about the strategies to secure their software supply chain by using open-source tools @sigstore
@kyverno🥇

#cosign #sigstore #projectsigstore #kyverno #softwaresupplychainsecurity #supplychainsecurity

https://www.virtru.com/blog/securing-kubernetes-how-we-streamline-sign-and-verify-with-cosign-and-kyverno

🎊I'm super glad to announce that @sigstore #cosign v2.0.0 was released officially!

☝️There were lots of🌱amazing features, 🐛bug fixes, and✨improvements included in that release!

🥇Another important milestone was achieved for the #sigstore team.

https://blog.sigstore.dev/cosign-2-0-released/

📢You can reach out to our talk at KCD Pakistan with @furkanturkal about creating a secure base image with #apko using @wolfi packages and using it with #ko to build OCI-compliant container images and signing them #cosign in keyless and verifying them with #kyverno
➡️ https://www.youtube.com/watch?v=W1Xct6ZtmHo

@Alexander_R #cosign! I mean, the US has A TON of #Nazis, so, wtf if Ukraine uses a few aryan nutbags of their own as target practise for Russian soldiers (who need the practise)? They've just been looking for something to fight for—for glory. I can't imagine white nationalists fighting for a democracy headed by a prominently jewish Jew, and doing it all for the end purpose of fulfilling Hitler's ambitions. Sorry...no. Not buying it. #Ukraine

@beltranrubo so glad to hear that; what about signing these with #cosign as a next step, I can do that for you :blobfoxdealwithitfingerguns:

Explain to me #Sigstore #Cosign like I am 5, because I literally don’t understand what is doing and why.
Which problem is it solving ?

#cncf #cloudsecurity

🌟Great repository template by @mchmarny about the showcase of building an @oci_org image with #ko, signing with #cosign using #KMS, generating #SLSA provenance using slsa-github-generator and verifications with policy-controller by @sigstore🔥 ➡️ https://github.com/mchmarny/s3cme/

f you missed the event organized by @chainguard_dev yesterday about #gitsign, #cosign, #tektoncd, and #chains, don't worry; you can still watch it on demand from the Crowdcast platform 👇 Thx to @strongjz for a fantastic talk 👏
https://www.crowdcast.io/c/software-signing

Wow 🤩 from now on v1.26, the @kubernetesio is starting to sign release artifacts too, in addition to the container images, of course using the @sigstore #cosign tool 🙈 don’t forget to read this blog post to learn more about the process 👇
https://kubernetes.io/blog/2022/12/12/kubernetes-release-artifact-signing/

RT @saschagrunert@twitter.com

Kubernetes v1.26.0-rc.1 released yesterday! 🥳

Do you know that you can already verify all binary artifacts using #cosign:

tlog entry verified with uuid: 5d54b39222e3fa9a21bcb0badd8aac939b4b0d1d9085b37f1f10b18a8cd24657 index: 8173886
Verified OK

https://gist.github.com/saschagrunert/76558f6787b7c848fbd52c11119d68d8

🐦🔗: https://twitter.com/saschagrunert/status/1598320686526775298

Kubernetes v1.26.0-rc.1 released yesterday! 🥳

Do you know that you can already verify all binary artifacts using #cosign:

tlog entry verified with uuid: 5d54b39222e3fa9a21bcb0badd8aac939b4b0d1d9085b37f1f10b18a8cd24657 index: 8173886
Verified OK

https://gist.github.com/saschagrunert/76558f6787b7c848fbd52c11119d68d8

@anderseknert I think @sigstore #cosign can be part of this signing flow. The sign-blob command can be used while signing the bundle?