- Rekor - tamper-resistant ledger of software metadata.
- Interested parties query the ledger to decide whether to deploy or not.
- It comes with a command line tool,
- Uses Trillian, a cryptographically verifiable data store.
- Fulcio - a free root CA for code signing certificates.
- It produces certificates that are valid for 20 minutes.
- Code signing CA.
- Cosign - container signing.
- this is available in a container from
fulcio to sign an image.
Basic demo on OpenShift