The author discusses which supply chain attacks aren't covered by sigstore.

cosign is part of the sigstore project to make the open-source software supply chain more secure. In this post, the author describes how to use the cosign tool to sign container images.

»A non-profit, public good software signing & transparency service.«