{"id":520,"date":"2023-12-28T10:00:00","date_gmt":"2023-12-28T10:00:00","guid":{"rendered":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/"},"modified":"2023-12-28T10:00:00","modified_gmt":"2023-12-28T10:00:00","slug":"devsecops-sigstore-cosign","status":"publish","type":"post","link":"https:\/\/jacar.es\/en\/devsecops-sigstore-cosign\/","title":{"rendered":"Practical DevSecOps with Sigstore and cosign"},"content":{"rendered":"<p><strong><a href=\"https:\/\/www.sigstore.dev\/\">Sigstore<\/a><\/strong> and its CLI <strong><a href=\"https:\/\/github.com\/sigstore\/cosign\">cosign<\/a><\/strong> have been transitioning from experiment to infrastructure for two years. Today large projects \u2014 Kubernetes, Istio, NPM with provenance, Python via PEP 740 \u2014 sign artifacts through the Sigstore chain. But between \u201cit exists\u201d and \u201cmy team uses it well\u201d there\u2019s still a gap. This article is about closing that gap: signing images and binaries in a way that the signature <em>means<\/em> something and doesn\u2019t become another checkbox.<\/p>\n<h2 id=\"what-sigstore-actually-does\">What Sigstore Actually Does<\/h2>\n<p>Sigstore is three pieces that fit together:<\/p>\n<ul>\n<li><strong>cosign<\/strong>: the CLI that signs and verifies artifacts (OCI images, blobs, SBOMs).<\/li>\n<li><strong>Fulcio<\/strong>: a certificate authority issuing short-lived certs (~10 minutes) bound to an OIDC identity \u2014 your GitHub, Google, or corporate identity provider.<\/li>\n<li><strong>Rekor<\/strong>: an immutable transparency log where signatures are recorded with audited timestamps.<\/li>\n<\/ul>\n<p>The practical magic: <strong>you don\u2019t manage persistent private keys<\/strong>. You sign with an identity (OIDC), get an ephemeral cert, sign, the cert expires, and the Rekor entry remains for anyone to verify later.<\/p>\n<p>This <em>keyless<\/em> model eliminates the biggest source of signing incidents: compromised or lost keys. In return, it introduces dependency on Sigstore\u2019s public infrastructure \u2014 or the need to deploy your own instance if you have strict requirements.<\/p>\n<h2 id=\"signing-an-oci-image\">Signing an OCI Image<\/h2>\n<p>The most common use case: signing a Docker\/OCI image after building.<\/p>\n<div class=\"sourceCode\" id=\"cb1\">\n<pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb1-1\"><a href=\"#cb1-1\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"co\"># Build + push as usual<\/span><\/span>\n<span id=\"cb1-2\"><a href=\"#cb1-2\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"ex\">docker<\/span> build <span class=\"at\">-t<\/span> registry.example.com\/myapp:1.2.3 .<\/span>\n<span id=\"cb1-3\"><a href=\"#cb1-3\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"ex\">docker<\/span> push registry.example.com\/myapp:1.2.3<\/span>\n<span id=\"cb1-4\"><a href=\"#cb1-4\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><\/span>\n<span id=\"cb1-5\"><a href=\"#cb1-5\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"co\"># Keyless sign with cosign (uses OIDC automatically)<\/span><\/span>\n<span id=\"cb1-6\"><a href=\"#cb1-6\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"ex\">cosign<\/span> sign registry.example.com\/myapp:1.2.3<\/span><\/code><\/pre>\n<\/div>\n<p>Cosign detects the environment (GitHub Actions, Gitea Actions, GitLab CI, local) and gets the appropriate OIDC token. The signature attaches to the registry as an additional artifact (<strong>referenced manifest<\/strong>), not a separate tag.<\/p>\n<p>Verify:<\/p>\n<div class=\"sourceCode\" id=\"cb2\">\n<pre class=\"sourceCode bash\"><code class=\"sourceCode bash\"><span id=\"cb2-1\"><a href=\"#cb2-1\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"ex\">cosign<\/span> verify registry.example.com\/myapp:1.2.3 <span class=\"dt\">\\<\/span><\/span>\n<span id=\"cb2-2\"><a href=\"#cb2-2\" aria-hidden=\"true\" tabindex=\"-1\"><\/a>  <span class=\"at\">--certificate-identity<\/span><span class=\"op\">=<\/span>ci@example.com <span class=\"dt\">\\<\/span><\/span>\n<span id=\"cb2-3\"><a href=\"#cb2-3\" aria-hidden=\"true\" tabindex=\"-1\"><\/a>  <span class=\"at\">--certificate-oidc-issuer<\/span><span class=\"op\">=<\/span>https:\/\/token.actions.githubusercontent.com<\/span><\/code><\/pre>\n<\/div>\n<p>Verification is <strong>not<\/strong> \u201cdoes it have a signature?\u201d. It\u2019s \u201cdoes it have a signature <strong>from the identity I expect<\/strong>?\u201d. Without the identity part, a signature is decoration.<\/p>\n<h2 id=\"integrating-into-a-real-pipeline\">Integrating into a Real Pipeline<\/h2>\n<p>Three patterns that work for high-volume teams:<\/p>\n<ul>\n<li><strong>Auto-sign in CI<\/strong>: every successful build signs. The workflow has OIDC permission to Sigstore\u2019s issuer. If the build passes, signing is free.<\/li>\n<li><strong>Policy in admission controller<\/strong>: <strong><a href=\"https:\/\/kyverno.io\/\">Kyverno<\/a><\/strong> or <strong><a href=\"https:\/\/open-policy-agent.github.io\/gatekeeper\/\">Gatekeeper<\/a><\/strong> in Kubernetes reject pods whose image isn\u2019t signed by authorized identities.<\/li>\n<li><strong>Verification in GitOps<\/strong>: <strong><a href=\"https:\/\/fluxcd.io\/\">Flux<\/a><\/strong> and <strong><a href=\"https:\/\/argo-cd.readthedocs.io\/\">Argo CD<\/a><\/strong> can verify signatures before reconciling. Signatures become real gatekeepers.<\/li>\n<\/ul>\n<p>The common error is signing without verifying at deployment. Signing without verification is work without benefit.<\/p>\n<h2 id=\"signing-sboms-and-provenance\">Signing SBOMs and Provenance<\/h2>\n<p>Beyond images, Sigstore signs:<\/p>\n<ul>\n<li><strong>SBOMs<\/strong> (Software Bill of Materials) generated with <strong><a href=\"https:\/\/github.com\/anchore\/syft\">Syft<\/a><\/strong>.<\/li>\n<li><strong>SLSA provenance<\/strong> generated by the builder \u2014 proof of how the image was built, which commit, which workflow, which tools.<\/li>\n<li><strong>Raw binaries<\/strong> with <code>cosign sign-blob<\/code>.<\/li>\n<\/ul>\n<p>To meet <strong>SLSA Level 3<\/strong> you need non-forgeable signed provenance. Sigstore is the natural mechanism to get it without standing up your own infrastructure.<\/p>\n<h2 id=\"keys-vs.-keyless-when-to-use-which\">Keys vs.\u00a0Keyless: When to Use Which<\/h2>\n<p>You won\u2019t always want OIDC keyless:<\/p>\n<ul>\n<li><strong>Keyless<\/strong>: default, less operational overhead, less key-compromise risk, dependency on public Sigstore.<\/li>\n<li><strong>Keypair<\/strong>: persistent key (RSA or ECDSA), fully offline, you manage custody. Useful for air-gapped or strict requirements.<\/li>\n<li><strong>KMS<\/strong>: key in HashiCorp Vault, AWS KMS, GCP KMS, etc. Good balance of central management and verifiable signing.<\/li>\n<\/ul>\n<p>For most cloud-native teams, keyless is sufficient and operationally simpler. For regulated environments, KMS is usually the path.<\/p>\n<h2 id=\"private-sigstore-when-it-makes-sense\">Private Sigstore: When It Makes Sense<\/h2>\n<p>Public Sigstore has limits: shared usage, dependency on foreign infrastructure, OIDC identities exposed in public Rekor. For some cases, deploying <strong><a href=\"https:\/\/github.com\/sigstore\/scaffolding\">scaffolding<\/a><\/strong> \u2014 your own Fulcio + Rekor instance \u2014 makes sense.<\/p>\n<p>Typical cases:<\/p>\n<ul>\n<li><strong>Regulated<\/strong> where signature metadata is sensitive.<\/li>\n<li><strong>Air-gapped<\/strong> or networks with no public Sigstore access.<\/li>\n<li><strong>High volume<\/strong> justifying operational costs.<\/li>\n<\/ul>\n<p>For everyone else, public is more than enough and much less work.<\/p>\n<h2 id=\"common-mistakes\">Common Mistakes<\/h2>\n<p>I\u2019ve seen teams break signature-based DevSecOps in these ways:<\/p>\n<ul>\n<li><strong>Sign everything, verify nothing<\/strong>. Signing without verification is theatre.<\/li>\n<li><strong>Accept any identity<\/strong>. Verifying \u201chas signature\u201d without validating who signed is nearly equivalent to not signing.<\/li>\n<li><strong>Forget to rotate<\/strong>. In keypair mode, if you don\u2019t rotate annually, you lose the benefit.<\/li>\n<li><strong>Not storing Rekor log entries<\/strong>. For long-term audit, you need the Rekor entry UUID as evidence.<\/li>\n<li><strong>No runbook when it fails<\/strong>. If public Sigstore has an incident, your CI halts. Have plan B.<\/li>\n<\/ul>\n<h2 id=\"minimal-checklist\">Minimal Checklist<\/h2>\n<p>A team starting with Sigstore without complications:<\/p>\n<ul>\n<li>Sign in CI (keyless) for main images.<\/li>\n<li>Verify at deployment (Kyverno, Flux, Argo).<\/li>\n<li>List of authorized identities versioned in Git.<\/li>\n<li>Alert when an unsigned image reaches production.<\/li>\n<li>Quarterly review of what\u2019s signed and what isn\u2019t.<\/li>\n<\/ul>\n<p>With that, you\u2019re already ahead of average.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>Sigstore moved from experimental project to de-facto software-signing infrastructure. Adoption friction has dropped. What remains is integrating it so it means something \u2014 really verifying, with well-defined identities, and clear runbooks when it fails. Signing for signing\u2019s sake is worse than not signing: it gives the illusion of security without the benefits. Well applied, it closes one of the doors supply-chain attackers have exploited for years.<\/p>\n<p>Follow us on jacar.es for more on DevSecOps, supply chain, and less-vulnerable deployments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Signing images and artifacts with Sigstore is no longer exotic. How to integrate cosign into a real pipeline without turning signing into empty ritual.<\/p>\n","protected":false},"author":1,"featured_media":521,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,19],"tags":[303,198,304,170,169,168],"class_list":["post-520","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-metodologias","category-tecnologia","tag-cosign","tag-devsecops","tag-firma-artefactos","tag-sigstore","tag-slsa","tag-supply-chain"],"translation":{"provider":"WPGlobus","version":"3.0.2","language":"en","enabled_languages":["es","en"],"languages":{"es":{"title":true,"content":true,"excerpt":true},"en":{"title":true,"content":true,"excerpt":true}}},"gutentor_comment":0,"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Practical DevSecOps with Sigstore and cosign - Jacar<\/title>\n<meta name=\"description\" content=\"Sigstore and cosign in real pipelines: signing images, verifying at deployment, rotating keys, and avoiding empty-ritual signing.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jacar.es\/devsecops-sigstore-cosign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Practical DevSecOps with Sigstore and cosign - Jacar\" \/>\n<meta property=\"og:description\" content=\"Sigstore and cosign in real pipelines: signing images, verifying at deployment, rotating keys, and avoiding empty-ritual signing.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jacar.es\/devsecops-sigstore-cosign\/\" \/>\n<meta property=\"og:site_name\" content=\"Jacar\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-28T10:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\/wp-content\/uploads\/2020\/09\/favicon.png\" \/>\n\t<meta property=\"og:image:width\" content=\"252\" \/>\n\t<meta property=\"og:image:height\" content=\"229\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"javi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"javi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/\"},\"author\":{\"name\":\"javi\",\"@id\":\"https:\\\/\\\/jacar.es\\\/#\\\/schema\\\/person\\\/54a7f7b4224b38fafc9866eb3e614208\"},\"headline\":\"Practical DevSecOps with Sigstore and cosign\",\"datePublished\":\"2023-12-28T10:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/\"},\"wordCount\":1695,\"publisher\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/20020908\\\/jwp-1384053-20875.jpg\",\"keywords\":[\"cosign\",\"devsecops\",\"firma artefactos\",\"sigstore\",\"slsa\",\"supply chain\"],\"articleSection\":[\"Metodolog\u00edas\",\"Tecnolog\u00eda\"],\"inLanguage\":\"en-US\"},{\"@type\":[\"WebPage\",\"ItemPage\"],\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/\",\"url\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/\",\"name\":\"Practical DevSecOps with Sigstore and cosign - Jacar\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/20020908\\\/jwp-1384053-20875.jpg\",\"datePublished\":\"2023-12-28T10:00:00+00:00\",\"description\":\"Sigstore and cosign in real pipelines: signing images, verifying at deployment, rotating keys, and avoiding empty-ritual signing.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/#primaryimage\",\"url\":\"https:\\\/\\\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/20020908\\\/jwp-1384053-20875.jpg\",\"contentUrl\":\"https:\\\/\\\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/20020908\\\/jwp-1384053-20875.jpg\",\"width\":1200,\"height\":802,\"caption\":\"Candado met\u00e1lico sobre teclado representando firma digital y seguridad en el pipeline\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/jacar.es\\\/devsecops-sigstore-cosign\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\\\/\\\/jacar.es\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DevSecOps pr\u00e1ctico con Sigstore y cosign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/jacar.es\\\/#website\",\"url\":\"https:\\\/\\\/jacar.es\\\/\",\"name\":\"Jacar\",\"description\":\"Passion for Technology\",\"publisher\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/jacar.es\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/jacar.es\\\/#organization\",\"name\":\"Jacar\",\"url\":\"https:\\\/\\\/jacar.es\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/jacar.es\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/jacar.es\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/favicon.png\",\"contentUrl\":\"https:\\\/\\\/jacar.es\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/favicon.png\",\"width\":252,\"height\":229,\"caption\":\"Jacar\"},\"image\":{\"@id\":\"https:\\\/\\\/jacar.es\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/in\\\/javiercanetearroyo\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/jacar.es\\\/#\\\/schema\\\/person\\\/54a7f7b4224b38fafc9866eb3e614208\",\"name\":\"javi\",\"sameAs\":[\"https:\\\/\\\/jacar.es\"],\"url\":\"https:\\\/\\\/jacar.es\\\/en\\\/author\\\/javi\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Practical DevSecOps with Sigstore and cosign - Jacar","description":"Sigstore and cosign in real pipelines: signing images, verifying at deployment, rotating keys, and avoiding empty-ritual signing.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/","og_locale":"en_US","og_type":"article","og_title":"Practical DevSecOps with Sigstore and cosign - Jacar","og_description":"Sigstore and cosign in real pipelines: signing images, verifying at deployment, rotating keys, and avoiding empty-ritual signing.","og_url":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/","og_site_name":"Jacar","article_published_time":"2023-12-28T10:00:00+00:00","og_image":[{"width":252,"height":229,"url":"https:\/\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\/wp-content\/uploads\/2020\/09\/favicon.png","type":"image\/png"}],"author":"javi","twitter_card":"summary_large_image","twitter_misc":{"Written by":"javi","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/#article","isPartOf":{"@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/"},"author":{"name":"javi","@id":"https:\/\/jacar.es\/#\/schema\/person\/54a7f7b4224b38fafc9866eb3e614208"},"headline":"Practical DevSecOps with Sigstore and cosign","datePublished":"2023-12-28T10:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/"},"wordCount":1695,"publisher":{"@id":"https:\/\/jacar.es\/#organization"},"image":{"@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/#primaryimage"},"thumbnailUrl":"https:\/\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\/wp-content\/uploads\/2023\/12\/20020908\/jwp-1384053-20875.jpg","keywords":["cosign","devsecops","firma artefactos","sigstore","slsa","supply chain"],"articleSection":["Metodolog\u00edas","Tecnolog\u00eda"],"inLanguage":"en-US"},{"@type":["WebPage","ItemPage"],"@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/","url":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/","name":"Practical DevSecOps with Sigstore and cosign - Jacar","isPartOf":{"@id":"https:\/\/jacar.es\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/#primaryimage"},"image":{"@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/#primaryimage"},"thumbnailUrl":"https:\/\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\/wp-content\/uploads\/2023\/12\/20020908\/jwp-1384053-20875.jpg","datePublished":"2023-12-28T10:00:00+00:00","description":"Sigstore and cosign in real pipelines: signing images, verifying at deployment, rotating keys, and avoiding empty-ritual signing.","breadcrumb":{"@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jacar.es\/devsecops-sigstore-cosign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/#primaryimage","url":"https:\/\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\/wp-content\/uploads\/2023\/12\/20020908\/jwp-1384053-20875.jpg","contentUrl":"https:\/\/jcs-wp-jacar-es.fsn1.your-objectstorage.com\/wp-content\/uploads\/2023\/12\/20020908\/jwp-1384053-20875.jpg","width":1200,"height":802,"caption":"Candado met\u00e1lico sobre teclado representando firma digital y seguridad en el pipeline"},{"@type":"BreadcrumbList","@id":"https:\/\/jacar.es\/devsecops-sigstore-cosign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/jacar.es\/"},{"@type":"ListItem","position":2,"name":"DevSecOps pr\u00e1ctico con Sigstore y cosign"}]},{"@type":"WebSite","@id":"https:\/\/jacar.es\/#website","url":"https:\/\/jacar.es\/","name":"Jacar","description":"Passion for Technology","publisher":{"@id":"https:\/\/jacar.es\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jacar.es\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jacar.es\/#organization","name":"Jacar","url":"https:\/\/jacar.es\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacar.es\/#\/schema\/logo\/image\/","url":"https:\/\/jacar.es\/wp-content\/uploads\/2020\/09\/favicon.png","contentUrl":"https:\/\/jacar.es\/wp-content\/uploads\/2020\/09\/favicon.png","width":252,"height":229,"caption":"Jacar"},"image":{"@id":"https:\/\/jacar.es\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/in\/javiercanetearroyo\/"]},{"@type":"Person","@id":"https:\/\/jacar.es\/#\/schema\/person\/54a7f7b4224b38fafc9866eb3e614208","name":"javi","sameAs":["https:\/\/jacar.es"],"url":"https:\/\/jacar.es\/en\/author\/javi\/"}]}},"_links":{"self":[{"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/posts\/520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/comments?post=520"}],"version-history":[{"count":0,"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/posts\/520\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/media\/521"}],"wp:attachment":[{"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/media?parent=520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/categories?post=520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacar.es\/en\/wp-json\/wp\/v2\/tags?post=520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}