Interview › Security & DevSecOps
What is artifact signing, and what is Sigstore/cosign? [Intermediate]
Answer
Artifact signing cryptographically signs a build artifact or image digest so consumers can verify integrity and publisher identity. Sigstore and cosign make this practical for containers by supporting keyless signing, transparency logs, and signature verification in CI/CD and Kubernetes admission.
Technical explanation
Signing mutable tags is weaker; sign immutable digests so the signature binds to exact content.
Keyless signing can bind an artifact to an OIDC identity from CI, reducing long-lived signing-key risk.
Verification should happen before promotion and again before deployment.
Hands-on example
Hands-on:
cosign sign --keyless registry.example.com/checkout@sha256:abc
cosign verify --certificate-identity-regexp 'https://github.com/org/repo/.github/workflows/.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
registry.example.com/checkout@sha256:abc
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]