Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Google Releases Open Source Tool for Verifying Containers

Google has released a new open-source tool called cosign to make it easier to manage the process of signing and verifying container images.

Google has released a new open-source tool called cosign to make it easier to manage the process of signing and verifying container images.

Developed in collaboration with Linux Foundation’s sigstore project, the company said the motivation for cosign is “to make signatures invisible infrastructure.” 

Google says all of its distroless images have been signed using the open source tool and that all users of distroless (images that only contain the required application and its dependencies) can easily check whether they are using the base image they are looking for.


The Internet giant says it has integrated cosign into the distroless CI system, thus transforming the signing of distroless into just another step in the Cloud Build job responsible for building images.


“This additional step uses the cosign container image and a key pair stored in GCP KMS to sign every distroless image. With this additional signing step, users can now verify that the distroless image they’re running was built in the correct CI environment,” Google explains.


Cosign, which can be run either as a CLI tool or as an image, supports own Public Key Infrastructure (PKI), hardware and KMS signing, Google’s free OIDC PKI (Fulcio), and a built-in binary transparency and timestamping service (Rekor).


Kubernetes, to which sigstore maintainers contribute, is already verifying images with the new tool and Google reveals that Kubernetes SIG Release is aiming to create “a consumable, introspectable, and secure supply chain for the project.”


Google plans to add additional sigstore technologies into distroless in the coming months.


Related: Adobe Releases Open Source Anomaly Detection Tool “OSAS”


Related: Library Dependencies and Open Source Supply Chain Security

Related: Google Launches Database for Open Source Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.