Description
Signs and verifies container images and other artifacts with Sigstore support, including keyless or ephemeral-key workflows. It helps teams prove artifact origin and detect tampering in software supply chains.
Use it when container or artifact signing is part of the release policy. Verification rules, identity constraints, and transparency-log expectations should be defined before relying on signatures.