• Rekor - tamper-resistant ledger of software metadata.
    • Interested parties query the ledger to decide whether to deploy or not.
    • It comes with a command line tool, rekor-cli
    • Uses Trillian, a cryptographically verifiable data store.
  • Fulcio - a free root CA for code signing certificates.
    • It produces certificates that are valid for 20 minutes.
    • Code signing CA.
  • Cosign - container signing.
    • this is available in a container from
    • cosign uses fulcio to sign an image.

Basic demo on OpenShift