This doc covers feature stability in cosign as described in the API Stability Policy for Sigstore.
- Keyless signing using the
FulcioCA - Storing signatures in a transparency log
- The
pkg/cosign/ociclient library
Some formats that cosign relies upon are not stable yet either:
- The SBOM specification for storing SBOMs in a container registry
- The In-Toto attestation format
- All cosign subcommands, including flags and output
- fixed, text-based keys generated using
cosign generate-key-pair - cloud KMS-based keys generated using
cosign generate-key-pair -kms - keys generated on hardware tokens using the PIV interface using
cosign piv-tool - Kubernetes-secret based keys generated using
cosign generate-key-pair k8s://namespace/secretName
- OCI and Docker Images
- Other artifacts that can be stored in a container registry, including:
- Tekton Bundles
- Helm Charts
- WASM modules
- Text files and other binary blobs, using
cosign sign-blob