Google has released a new open-source tool called cosign that allows to sign, verify container images. The tool was developed in collaboration with the Linux Foundations sigstore project. The IT giant used the tool to sign its Distroless images and the users could verify them using the cosign tool. Google will integrate new additional technologies into the distroless in the next months. It aims to establish a consumable, introspectable, and secure supply chain for the project.”]
Source: https://securityaffairs.co/wordpress/117774/security/google-cosign-sign-verify-containers.html

