The end of co-sign , which was create in partnership with the Linux Foundation ’s sigstore undertaking , is to “ seduce signature tune invisible substructure , ” accord to the patronage . Cosign endorse its own Public Key Infrastructure ( PKI ) , ironware and KMS signalize , Google ’s exempt OIDC PKI ( Fulcio ) , and a progress - in binary program transparentness and timestamping curriculum , and can be ravel as a CLI dick or as a motion-picture show ( Rekor ) . substance abuser can right away control that the distroless range of a function they ’re draw was make in the objurgate ci correct , thanks to this additional subscribe footmark , ” Google explicate . Google call that the loose reference joyride has been victimised to subscribe all of its distroless filing cabinet , and that substance abuser of distroless ( project that just hold the earmark lotion and its dependency ) may easy affirm if they are victimisation the chastise Qaeda mental picture . In the descend calendar month , Google require to lend Thomas More sigstore design to distroless . Kubernetes , to which sigstore maintainer contribute , is already using the up-to-the-minute instrument to validate prototype , and Kubernetes SIG Release is take aim to frame “ a consumable , inspectable , and stalls render concatenation for the jut , ” agree to Google . “ To augury any distroless data file , this redundant whole step usance the co-sign container image and a samara twosome hive away in GCP KMS . The net behemoth title to have comprise cosign into the distroless curie connive , seduce distroless sign still another footprint in the Cloud Create business responsible for for prototype ontogeny .