Verify your Docker images using Cosign
Good news! We've added support for Cosign to the Cloudsmith OCI registry. Cosign is part of the open-source project sigstore, which makes it easy for developers to sign releases and for users to verify them.
With this integration, Cloudsmith customers can sign OCI artifacts using Cosign, and push the generated signature into Cloudsmith to be stored alongside the signed artifact. Cloudsmith maintains a link between the image and the signature, allowing consumers of the image to verify no one has modified the software from source to point of use.
Signing your packages ensures users can trust that the package is safe to download or use as a dependency. Cloudsmith also supports specifying a custom GPG or RSA key if that's your organization's preferred method for signing.