\u062a\u062a\u0645\u064a\u0632 \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u062a\u0633\u0644\u064a\u0645 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0627\u0644\u062d\u062f\u064a\u062b\u0629 \u0628\u0642\u062f\u0631\u0629 \u0641\u0627\u0626\u0642\u0629 \u0639\u0644\u0649 \u0628\u0646\u0627\u0621 \u0627\u0644\u0634\u0641\u0631\u0629 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0648\u0634\u062d\u0646\u0647\u0627 \u0628\u0633\u0631\u0639\u0629. \u0644\u0643\u0646 \u0627\u0644\u0633\u0631\u0639\u0629 \u062f\u0648\u0646 \u062b\u0642\u0629 \u062a\u0645\u062b\u0644 \u0645\u0633\u0624\u0648\u0644\u064a\u0629 \u062e\u0637\u064a\u0631\u0629. \u0628\u064a\u0646 \u0644\u062d\u0638\u0629 \u0625\u064a\u062f\u0627\u0639 \u0627\u0644\u0634\u0641\u0631\u0629 \u0627\u0644\u0645\u0635\u062f\u0631\u064a\u0629 \u0648\u0644\u062d\u0638\u0629 \u062a\u0634\u063a\u064a\u0644 \u0635\u0648\u0631\u0629 \u0627\u0644\u062d\u0627\u0648\u064a\u0629 \u0641\u064a \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c\u060c \u062a\u0648\u062c\u062f \u0641\u062c\u0648\u0629 \u2014 \u0641\u062c\u0648\u0629 \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u062d\u062f\u062b \u0641\u064a\u0647\u0627 \u062a\u0644\u0627\u0639\u0628 \u0623\u0648 \u0627\u0633\u062a\u0628\u062f\u0627\u0644 \u0623\u0648 \u062a\u0644\u0641 \u0635\u0627\u0645\u062a \u062f\u0648\u0646 \u0623\u0646 \u064a\u0644\u0627\u062d\u0638 \u0623\u062d\u062f.<\/p>\n
\u0647\u0630\u0627 \u0644\u064a\u0633 \u0645\u0635\u062f\u0631 \u0642\u0644\u0642 \u0646\u0638\u0631\u064a. \u0641\u0642\u062f \u0623\u0638\u0647\u0631 \u0647\u062c\u0648\u0645 SolarWinds<\/strong> \u0641\u064a \u0639\u0627\u0645 2020 \u0643\u064a\u0641 \u064a\u0645\u0643\u0646 \u0644\u0644\u062e\u0635\u0648\u0645 \u062d\u0642\u0646 \u0634\u0641\u0631\u0629 \u062e\u0628\u064a\u062b\u0629 \u0641\u064a \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0645\u0646\u062a\u062c\u064a\u0646 \u0639\u0646\u0627\u0635\u0631 \u0628\u0631\u0645\u062c\u064a\u0629 \u0645\u0648\u0642\u064e\u0651\u0639\u0629 \u0644\u0643\u0646\u0647\u0627 \u0645\u062e\u062a\u0631\u0642\u0629 \u0627\u0646\u062a\u0634\u0631\u062a \u0625\u0644\u0649 \u0622\u0644\u0627\u0641 \u0627\u0644\u0645\u0646\u0638\u0645\u0627\u062a. \u0648\u0623\u0638\u0647\u0631 \u0627\u062e\u062a\u0631\u0627\u0642 Codecov<\/strong> \u0641\u064a \u0639\u0627\u0645 2021 \u0643\u064a\u0641 \u064a\u0645\u0643\u0646 \u0644\u0646\u0635 CI \u0645\u064f\u062a\u0644\u0627\u0639\u064e\u0628 \u0628\u0647 \u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0645\u0646 \u0643\u0644 \u0645\u0633\u062a\u0648\u062f\u0639 \u064a\u0633\u062a\u062e\u062f\u0645\u0647. \u0641\u064a \u0643\u0644\u062a\u0627 \u0627\u0644\u062d\u0627\u0644\u062a\u064a\u0646\u060c \u0643\u0627\u0646\u062a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u2014 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0628\u064a\u0646 \u0627\u0644\u0634\u0641\u0631\u0629 \u0648\u0627\u0644\u0646\u0634\u0631 \u2014 \u0647\u064a \u0633\u0637\u062d \u0627\u0644\u0647\u062c\u0648\u0645.<\/p>\n \u064a\u0639\u0627\u0644\u062c \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u062c\u0632\u0621\u064b\u0627 \u062d\u0627\u0633\u0645\u064b\u0627 \u0645\u0646 \u0647\u0630\u0627 \u0627\u0644\u0644\u063a\u0632: \u0627\u0644\u0623\u0635\u0627\u0644\u0629 \u0648\u0627\u0644\u0633\u0644\u0627\u0645\u0629<\/strong>. \u0645\u0646 \u062e\u0644\u0627\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u062a\u0634\u0641\u064a\u0631\u064a \u0644\u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629\u060c \u062a\u064f\u0646\u0634\u0626 \u0631\u0627\u0628\u0637\u064b\u0627 \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u062d\u0642\u0642 \u0628\u064a\u0646 \u0627\u0644\u0635\u0648\u0631\u0629 \u0648\u0627\u0644\u0647\u0648\u064a\u0629 (\u0634\u062e\u0635 \u0623\u0648 \u0641\u0631\u064a\u0642 \u0623\u0648 \u0646\u0638\u0627\u0645 CI) \u0627\u0644\u062a\u064a \u0623\u0646\u062a\u062c\u062a\u0647\u0627. \u064a\u0645\u0643\u0646 \u0644\u0645\u0633\u062a\u0647\u0644\u0643\u064a \u062a\u0644\u0643 \u0627\u0644\u0635\u0648\u0631\u0629 \u0628\u0639\u062f \u0630\u0644\u0643 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0642\u0628\u0644 \u062a\u0634\u063a\u064a\u0644\u0647\u0627\u060c \u0645\u0645\u0627 \u064a\u0636\u0645\u0646 \u0623\u0646\u0647\u0627 \u0644\u0645 \u062a\u064f\u0639\u062f\u064e\u0651\u0644 \u0645\u0646\u0630 \u0628\u0646\u0627\u0626\u0647\u0627.<\/p>\n \u0644\u0633\u0646\u0648\u0627\u062a \u0639\u062f\u064a\u062f\u0629\u060c \u0643\u0627\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u063a\u064a\u0631 \u0639\u0645\u0644\u064a \u0641\u064a \u0645\u0639\u0638\u0645 \u0627\u0644\u0645\u0646\u0638\u0645\u0627\u062a. \u0643\u0627\u0646\u062a \u0625\u062f\u0627\u0631\u0629 \u0645\u0641\u0627\u062a\u064a\u062d GPG \u0645\u0631\u0647\u0642\u0629\u060c \u0648\u062a\u0648\u0632\u064a\u0639 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0647\u0634\u064b\u0627\u060c \u0648\u0643\u0627\u0646\u062a \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u062a\u062a\u0637\u0644\u0628 \u062e\u0628\u0631\u0629 \u0639\u0645\u064a\u0642\u0629 \u0641\u064a \u0627\u0644\u062a\u0634\u0641\u064a\u0631. \u063a\u064a\u064e\u0651\u0631 Sigstore<\/strong> \u0630\u0644\u0643. \u0641\u0642\u062f \u0642\u062f\u0651\u0645 \u0645\u062c\u0645\u0648\u0639\u0629 \u0645\u0646 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0645\u0641\u062a\u0648\u062d\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u062a\u062c\u0639\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0633\u0647\u0644\u064e\u064a \u0627\u0644\u0648\u0635\u0648\u0644 \u0648\u0622\u0644\u064a\u064e\u0651\u064a\u0646 \u2014 \u0648\u0627\u0644\u0623\u0647\u0645 \u0645\u0646 \u0630\u0644\u0643 \u2014 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d (keyless).<\/p>\n \u064a\u0631\u0634\u062f\u0643 \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0639\u0628\u0631 \u0645\u0646\u0638\u0648\u0645\u0629 Sigstore\u060c \u0648\u064a\u0648\u0636\u062d \u0644\u0643 \u0643\u064a\u0641\u064a\u0629 \u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Cosign<\/strong>\u060c \u0648\u062f\u0645\u062c \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0641\u064a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD\u060c \u0648\u0625\u0631\u0641\u0627\u0642 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a (attestations) \u0648\u0642\u0648\u0627\u0626\u0645 \u0645\u0643\u0648\u0646\u0627\u062a \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a (SBOMs). \u0628\u0646\u0647\u0627\u064a\u0629 \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644\u060c \u0633\u062a\u0645\u062a\u0644\u0643 \u0641\u0647\u0645\u064b\u0627 \u0639\u0645\u0644\u064a\u064b\u0627 \u0644\u0643\u064a\u0641\u064a\u0629 \u062c\u0639\u0644 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u062c\u0632\u0621\u064b\u0627 \u0645\u0639\u064a\u0627\u0631\u064a\u064b\u0627 \u0645\u0646 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u062a\u0633\u0644\u064a\u0645.<\/p>\n Sigstore \u0647\u0648 \u0645\u0634\u0631\u0648\u0639 \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631 \u062a\u0627\u0628\u0639 \u0644\u0645\u0624\u0633\u0633\u0629 Linux Foundation \u064a\u0648\u0641\u0631 \u0623\u062f\u0648\u0627\u062a \u0645\u062c\u0627\u0646\u064a\u0629 \u0648\u0634\u0641\u0627\u0641\u0629 \u0648\u0633\u0647\u0644\u0629 \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u0648\u062d\u0645\u0627\u064a\u062a\u0647\u0627. \u0623\u064f\u0646\u0634\u0626 \u0644\u062d\u0644 \u0645\u0634\u0643\u0644\u0629 \u0645\u062d\u062f\u062f\u0629: \u062c\u0639\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u062a\u0634\u0641\u064a\u0631\u064a \u0639\u0645\u0644\u064a\u064b\u0627 \u0644\u0645\u0646\u0638\u0648\u0645\u0629 \u0627\u0644\u0645\u0635\u0627\u062f\u0631 \u0627\u0644\u0645\u0641\u062a\u0648\u062d\u0629 \u0648\u0645\u0627 \u0628\u0639\u062f\u0647\u0627.<\/p>\n \u062a\u062a\u0643\u0648\u0646 \u0645\u0646\u0638\u0648\u0645\u0629 Sigstore \u0645\u0646 \u062b\u0644\u0627\u062b\u0629 \u0645\u0643\u0648\u0646\u0627\u062a \u0623\u0633\u0627\u0633\u064a\u0629:<\/p>\n Cosign<\/strong> \u0647\u0648 \u0623\u062f\u0627\u0629 \u062c\u0627\u0646\u0628 \u0627\u0644\u0639\u0645\u064a\u0644 \u0644\u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0639\u0646\u0627\u0635\u0631 OCI \u0627\u0644\u0623\u062e\u0631\u0649 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627. \u0625\u0646\u0647 \u0645\u0627 \u064a\u062a\u0641\u0627\u0639\u0644 \u0645\u0639\u0647 \u0627\u0644\u0645\u0637\u0648\u0631\u0648\u0646 \u0648\u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0645\u0628\u0627\u0634\u0631\u0629. \u064a\u062f\u0639\u0645 Cosign \u0643\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a \u0628\u0632\u0648\u062c \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0648\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d (keyless signing) \u0627\u0644\u0623\u062d\u062f\u062b.<\/p>\n Fulcio<\/strong> \u0647\u0648 \u062c\u0647\u0629 \u0625\u0635\u062f\u0627\u0631 \u0634\u0647\u0627\u062f\u0627\u062a (CA) \u0645\u062c\u0627\u0646\u064a\u0629 \u062a\u064f\u0635\u062f\u0631 \u0634\u0647\u0627\u062f\u0627\u062a \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0628\u0646\u0627\u0621\u064b \u0639\u0644\u0649 \u0647\u0648\u064a\u0629 OpenID Connect (OIDC). \u0639\u0646\u062f \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d\u060c \u064a\u062a\u062d\u0642\u0642 Fulcio \u0645\u0646 \u0647\u0648\u064a\u062a\u0643 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0645\u0632\u0648\u062f OIDC (\u0645\u062b\u0644 Google \u0623\u0648 GitHub \u0623\u0648 Microsoft) \u0648\u064a\u064f\u0635\u062f\u0631 \u0634\u0647\u0627\u062f\u0629 \u062a\u0631\u0628\u0637 \u0647\u0648\u064a\u062a\u0643 \u0628\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062a\u0648\u0642\u064a\u0639. \u062a\u0643\u0648\u0646 \u0627\u0644\u0634\u0647\u0627\u062f\u0629 \u0635\u0627\u0644\u062d\u0629 \u0644\u0628\u0636\u0639 \u062f\u0642\u0627\u0626\u0642 \u0641\u0642\u0637 \u2014 \u0648\u0642\u062a \u0643\u0627\u0641\u064d \u0644\u062a\u0648\u0642\u064a\u0639 \u0639\u0646\u0635\u0631 \u0628\u0631\u0645\u062c\u064a\u060c \u0644\u0643\u0646\u0647 \u0642\u0635\u064a\u0631 \u0628\u0645\u0627 \u064a\u0643\u0641\u064a \u0644\u062a\u062c\u0646\u0628 \u0645\u062e\u0627\u0637\u0631 \u0627\u062e\u062a\u0631\u0627\u0642 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0628\u0634\u0643\u0644 \u0645\u0633\u062a\u0645\u0631.<\/p>\n Rekor<\/strong> \u0647\u0648 \u0633\u062c\u0644 \u0634\u0641\u0627\u0641\u064a\u0629 \u2014 \u062f\u0641\u062a\u0631 \u0623\u0633\u062a\u0627\u0630 \u062b\u0627\u0628\u062a \u0648\u0642\u0627\u0628\u0644 \u0644\u0644\u0625\u0644\u062d\u0627\u0642 \u0641\u0642\u0637 \u064a\u0633\u062c\u0644 \u0623\u062d\u062f\u0627\u062b \u0627\u0644\u062a\u0648\u0642\u064a\u0639. \u0641\u064a \u0643\u0644 \u0645\u0631\u0629 \u064a\u064f\u0648\u0642\u064e\u0651\u0639 \u0641\u064a\u0647\u0627 \u0639\u0646\u0635\u0631 \u0628\u0631\u0645\u062c\u064a\u060c \u064a\u064f\u0636\u0627\u0641 \u0633\u062c\u0644 \u0625\u0644\u0649 Rekor. \u064a\u0648\u0641\u0631 \u0647\u0630\u0627 \u0645\u0633\u0627\u0631\u064b\u0627 \u0639\u0627\u0645\u064b\u0627 \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u062f\u0642\u064a\u0642 \u064a\u0648\u0636\u062d \u0645\u064e\u0646 \u0648\u0642\u064e\u0651\u0639 \u0645\u0627\u0630\u0627 \u0648\u0645\u062a\u0649. \u0648\u0647\u0648 \u0645\u0634\u0627\u0628\u0647 \u0645\u0641\u0627\u0647\u064a\u0645\u064a\u064b\u0627 \u0644\u0633\u062c\u0644\u0627\u062a Certificate Transparency \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u0629 \u0641\u064a \u0645\u0646\u0638\u0648\u0645\u0629 TLS.<\/p>\n \u064a\u062a\u0637\u0644\u0628 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a \u0627\u0644\u0645\u0628\u0646\u064a \u0639\u0644\u0649 GPG \u062a\u0648\u0644\u064a\u062f \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d \u0637\u0648\u064a\u0644 \u0627\u0644\u0639\u0645\u0631\u060c \u0648\u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635\u060c \u0648\u062a\u0648\u0632\u064a\u0639 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u0639\u0627\u0645\u060c \u0648\u0625\u062f\u0627\u0631\u0629 \u062a\u062f\u0648\u064a\u0631 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0648\u0625\u0644\u063a\u0627\u0626\u0647\u0627. \u0647\u0630\u0627 \u0639\u0628\u0621 \u062a\u0634\u063a\u064a\u0644\u064a \u062b\u0642\u064a\u0644 \u0648\u0639\u0631\u0636\u0629 \u0644\u0644\u0623\u062e\u0637\u0627\u0621\u060c \u0648\u0647\u0630\u0627 \u0647\u0648 \u0627\u0644\u0633\u0628\u0628 \u0641\u064a \u0623\u0646 \u0645\u0639\u0638\u0645 \u0627\u0644\u0645\u0634\u0627\u0631\u064a\u0639 \u0644\u0645 \u062a\u062a\u0628\u0646\u064e\u0651 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0623\u0635\u0644\u0627\u064b.<\/p>\n \u064a\u064f\u0644\u063a\u064a \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0641\u064a Sigstore \u0647\u0630\u0627 \u0627\u0644\u0639\u0628\u0621:<\/p>\n \u064a\u064f\u0648\u0632\u064e\u0651\u0639 Cosign \u0643\u0645\u0644\u0641 \u062b\u0646\u0627\u0626\u064a \u0648\u0627\u062d\u062f. \u064a\u0645\u0643\u0646\u0643 \u062a\u062b\u0628\u064a\u062a\u0647 \u0639\u0644\u0649 \u0645\u0639\u0638\u0645 \u0627\u0644\u0645\u0646\u0635\u0627\u062a:<\/p>\n \u0623\u0628\u0633\u0637 \u0637\u0631\u064a\u0642\u0629 \u0647\u064a \u062a\u0648\u0644\u064a\u062f \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d \u0648\u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647 \u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631. \u0647\u0630\u0627 \u0645\u0641\u064a\u062f \u0639\u0646\u062f\u0645\u0627 \u062a\u0631\u064a\u062f \u0627\u0644\u062a\u062d\u0643\u0645 \u0627\u0644\u0643\u0627\u0645\u0644 \u0641\u064a \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0623\u0648 \u0639\u0646\u062f\u0645\u0627 \u0644\u0627 \u064a\u0643\u0648\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0645\u062a\u0627\u062d\u064b\u0627 \u0641\u064a \u0628\u064a\u0626\u062a\u0643.<\/p>\n \u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u0648\u0644\u064a\u062f \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d<\/strong><\/p>\n \u064a\u0646\u0634\u0626 \u0647\u0630\u0627 \u0645\u0644\u0641\u064a\u0646: \u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629<\/strong><\/p>\n \u0633\u064a\u0637\u0644\u0628 Cosign \u0643\u0644\u0645\u0629 \u0645\u0631\u0648\u0631 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635\u060c \u0648\u064a\u064f\u0646\u0634\u0626 \u062a\u0648\u0642\u064a\u0639\u064b\u0627\u060c \u0648\u064a\u062f\u0641\u0639\u0647 \u0625\u0644\u0649 \u0646\u0641\u0633 \u0633\u062c\u0644 OCI \u0628\u062c\u0627\u0646\u0628 \u0627\u0644\u0635\u0648\u0631\u0629. \u064a\u064f\u062e\u0632\u064e\u0651\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0643\u0639\u0646\u0635\u0631 OCI \u0645\u0646\u0641\u0635\u0644\u060c \u0645\u064f\u0639\u0644\u064e\u0651\u0645 \u0628\u0627\u0635\u0637\u0644\u0627\u062d \u064a\u0631\u0628\u0637\u0647 \u0628\u062e\u0644\u0627\u0635\u0629 (digest) \u0627\u0644\u0635\u0648\u0631\u0629.<\/p>\n \u0645\u0647\u0645:<\/strong> \u0648\u0642\u0650\u0651\u0639 \u062f\u0627\u0626\u0645\u064b\u0627 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u062e\u0644\u0627\u0635\u0629 (digest) \u0648\u0644\u064a\u0633 \u0628\u0627\u0644\u0639\u0644\u0627\u0645\u0629 (tag). \u0627\u0644\u0639\u0644\u0627\u0645\u0627\u062a \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u2014 \u064a\u0645\u0643\u0646 \u0644\u0623\u064a \u0634\u062e\u0635 \u0646\u0642\u0644 \u0639\u0644\u0627\u0645\u0629 \u0644\u0644\u0625\u0634\u0627\u0631\u0629 \u0625\u0644\u0649 \u0635\u0648\u0631\u0629 \u0645\u062e\u062a\u0644\u0641\u0629 \u0628\u0639\u062f \u0627\u0644\u062a\u0648\u0642\u064a\u0639. \u0623\u0645\u0627 \u0627\u0644\u062e\u0644\u0627\u0635\u0627\u062a \u0641\u0647\u064a \u0645\u064f\u0639\u0627\u0644\u062c\u0629 \u0628\u0627\u0644\u0645\u062d\u062a\u0648\u0649 \u0648\u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631.<\/p>\n \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0647\u0648 \u0627\u0644\u0646\u0647\u062c \u0627\u0644\u0645\u0648\u0635\u0649 \u0628\u0647 \u0644\u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD. \u064a\u064f\u0644\u063a\u064a \u0627\u0644\u062d\u0627\u062c\u0629 \u0644\u0625\u062f\u0627\u0631\u0629 \u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u0627\u0644\u0643\u0627\u0645\u0644.<\/p>\n \u0641\u064a \u0628\u064a\u0626\u0629 CI\/CD \u0645\u062b\u0644 GitHub Actions\u060c \u064a\u0643\u062a\u0634\u0641 Cosign \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0631\u0645\u0632 OIDC \u0627\u0644\u0645\u062d\u064a\u0637 \u0627\u0644\u0630\u064a \u062a\u0648\u0641\u0631\u0647 \u0627\u0644\u0645\u0646\u0635\u0629. \u0644\u0627 \u062d\u0627\u062c\u0629 \u0644\u062a\u0641\u0627\u0639\u0644 \u0639\u0628\u0631 \u0627\u0644\u0645\u062a\u0635\u0641\u062d.<\/p>\n \u0639\u0646\u062f \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0646\u062a\u064a\u062c\u0629 \u0647\u064a \u0635\u0648\u0631\u0629 \u0645\u064f\u0648\u0642\u064e\u0651\u0639\u0629 \u0628\u0633\u0644\u0633\u0644\u0629 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062d\u0642\u0642: \u064a\u064f\u062b\u0628\u062a \u0633\u062c\u0644 Rekor \u0623\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0623\u064f\u0646\u0634\u0626 \u0641\u064a \u0648\u0642\u062a \u0645\u062d\u062f\u062f \u0628\u0648\u0627\u0633\u0637\u0629 \u0647\u0648\u064a\u0629 \u0645\u062d\u062f\u062f\u0629\u060c \u0648\u062a\u064f\u062b\u0628\u062a \u0634\u0647\u0627\u062f\u0629 Fulcio \u0623\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 \u0643\u0627\u0646\u062a \u0645\u064f\u0635\u0627\u062f\u064e\u0642 \u0639\u0644\u064a\u0647\u0627 \u0648\u0642\u062a \u0627\u0644\u062a\u0648\u0642\u064a\u0639.<\/p>\n \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0645\u0641\u064a\u062f \u0641\u0642\u0637 \u0625\u0630\u0627 \u062a\u062d\u0642\u0642 \u0627\u0644\u0645\u0633\u062a\u0647\u0644\u0643\u0648\u0646 \u0645\u0646\u0647. \u064a\u0648\u0641\u0631 Cosign \u0623\u0648\u0627\u0645\u0631 \u062a\u062d\u0642\u0642 \u0645\u0628\u0627\u0634\u0631\u0629 \u0644\u0643\u0644 \u0645\u0646 \u0627\u0644\u0633\u064a\u0646\u0627\u0631\u064a\u0648\u0647\u0627\u062a \u0627\u0644\u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0648\u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d.<\/p>\n \u0625\u0630\u0627 \u0648\u064f\u0642\u0650\u0651\u0639\u062a \u0627\u0644\u0635\u0648\u0631\u0629 \u0628\u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d\u060c \u062a\u062d\u0642\u0642 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u0639\u0627\u0645:<\/p>\n \u064a\u062c\u0644\u0628 Cosign \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0645\u0646 \u0633\u062c\u0644 OCI\u060c \u0648\u064a\u062a\u062d\u0642\u0642 \u0645\u0646\u0647 \u0645\u0642\u0627\u0628\u0644 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u0639\u0627\u0645\u060c \u0648\u064a\u064f\u062e\u0631\u062c \u0627\u0644\u0646\u062a\u064a\u062c\u0629. \u0625\u0630\u0627 \u0643\u0627\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0635\u0627\u0644\u062d\u064b\u0627\u060c \u064a\u0637\u0628\u0639 \u062d\u0645\u0648\u0644\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639. \u0625\u0630\u0627 \u0644\u0645 \u064a\u0643\u0646 \u0643\u0630\u0644\u0643\u060c \u064a\u062e\u0631\u062c \u0628\u062e\u0637\u0623.<\/p>\n \u0644\u0644\u0635\u0648\u0631 \u0627\u0644\u0645\u064f\u0648\u0642\u064e\u0651\u0639\u0629 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d\u060c \u064a\u0639\u062a\u0645\u062f \u0627\u0644\u062a\u062d\u0642\u0642 \u0639\u0644\u0649 \u0627\u0644\u0647\u0648\u064a\u0629 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0645\u0641\u062a\u0627\u062d. \u062a\u064f\u062d\u062f\u062f \u0645\u064e\u0646<\/em> \u062a\u062a\u0648\u0642\u0639 \u0623\u0646 \u064a\u0643\u0648\u0646 \u0642\u062f \u0648\u0642\u064e\u0651\u0639 \u0627\u0644\u0635\u0648\u0631\u0629:<\/p>\n \u064a\u062a\u062d\u0642\u0642 \u0647\u0630\u0627 \u0627\u0644\u0623\u0645\u0631 \u0645\u0646 \u0623\u0646:<\/p>\n \u064a\u0645\u0643\u0646\u0643 \u0623\u064a\u0636\u064b\u0627 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u0637\u0627\u0628\u0642\u0629 \u0627\u0644\u062a\u0639\u0628\u064a\u0631\u0627\u062a \u0627\u0644\u0646\u0645\u0637\u064a\u0629 (regex) \u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0623\u0643\u062b\u0631 \u0645\u0631\u0648\u0646\u0629:<\/p>\n \u0627\u0644\u062a\u062d\u0642\u0642 \u0627\u0644\u064a\u062f\u0648\u064a \u0645\u0641\u064a\u062f \u0644\u062a\u0635\u062d\u064a\u062d \u0627\u0644\u0623\u062e\u0637\u0627\u0621\u060c \u0644\u0643\u0646 \u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0641\u0631\u0636 \u0622\u0644\u064a. \u064a\u0645\u0643\u0646 \u0644\u0648\u062d\u062f\u0627\u062a \u0627\u0644\u062a\u062d\u0643\u0645 \u0628\u0627\u0644\u0642\u0628\u0648\u0644 \u0641\u064a Kubernetes \u0631\u0641\u0636 \u0623\u064a \u0635\u0648\u0631\u0629 \u0644\u0627 \u062a\u062d\u0645\u0644 \u062a\u0648\u0642\u064a\u0639\u064b\u0627 \u0635\u0627\u0644\u062d\u064b\u0627.<\/p>\n Kyverno<\/strong> \u0647\u0648 \u0645\u062d\u0631\u0643 \u0633\u064a\u0627\u0633\u0627\u062a \u0634\u0627\u0626\u0639 \u0645\u0639 \u062f\u0639\u0645 \u0645\u062f\u0645\u062c \u0644\u0644\u062a\u062d\u0642\u0642 \u0639\u0628\u0631 Cosign:<\/p>\n \u064a\u0648\u0641\u0631 Sigstore Policy Controller<\/strong> (\u0627\u0644\u0645\u0639\u0631\u0648\u0641 \u0633\u0627\u0628\u0642\u064b\u0627 \u0628\u0640 Cosign Policy Webhook) \u0648\u0638\u0627\u0626\u0641 \u0645\u0634\u0627\u0628\u0647\u0629 \u0628\u0646\u0647\u062c \u0623\u0635\u0644\u064a \u0644\u0640 Sigstore:<\/p>\n \u0645\u0639 \u0623\u064a \u0645\u0646 \u0627\u0644\u0646\u0647\u062c\u064a\u0646\u060c \u0633\u064a\u064f\u0631\u0641\u0636 \u0623\u064a pod \u064a\u0634\u064a\u0631 \u0625\u0644\u0649 \u0635\u0648\u0631\u0629 \u063a\u064a\u0631 \u0645\u064f\u0648\u0642\u064e\u0651\u0639\u0629 (\u0623\u0648 \u0645\u064f\u0648\u0642\u064e\u0651\u0639\u0629 \u0628\u0634\u0643\u0644 \u063a\u064a\u0631 \u0635\u062d\u064a\u062d) \u0645\u0646 \u0633\u062c\u0644\u0643 \u0639\u0646\u062f \u0648\u0642\u062a \u0627\u0644\u0642\u0628\u0648\u0644.<\/p>\n \u064a\u062a\u0645\u062a\u0639 GitHub Actions \u0628\u062f\u0639\u0645 \u0623\u0635\u0644\u064a \u0644\u0640 OIDC\u060c \u0645\u0645\u0627 \u064a\u062c\u0639\u0644\u0647 \u0627\u0644\u0628\u064a\u0626\u0629 \u0627\u0644\u0645\u062b\u0627\u0644\u064a\u0629 \u0644\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d. \u0641\u064a\u0645\u0627 \u064a\u0644\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 \u0643\u0627\u0645\u0644 \u064a\u0628\u0646\u064a \u0648\u064a\u062f\u0641\u0639 \u0648\u064a\u0648\u0642\u0639 \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629:<\/p>\n \u0627\u0644\u0646\u0642\u0627\u0637 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629:<\/p>\n \u064a\u062f\u0639\u0645 GitLab CI \u0623\u064a\u0636\u064b\u0627 \u0631\u0645\u0648\u0632 OIDC \u0644\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d. \u0627\u0644\u0646\u0647\u062c \u0645\u0634\u0627\u0628\u0647 \u0644\u0643\u0646\u0647 \u064a\u0633\u062a\u062e\u062f\u0645 \u0622\u0644\u064a\u0629 \u0631\u0645\u0632 \u0627\u0644\u0645\u0639\u0631\u0641 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 GitLab:<\/p>\n \u0643\u062a\u0644\u0629 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u064b\u0627\u060c \u064a\u064f\u062e\u0632\u0650\u0651\u0646 Cosign \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0641\u064a \u0646\u0641\u0633 \u0633\u062c\u0644 OCI \u0627\u0644\u0630\u064a \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0645\u064f\u0648\u0642\u064e\u0651\u0639\u0629. \u064a\u064f\u062f\u0641\u0639 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0643\u0639\u0644\u0627\u0645\u0629 \u0645\u0646\u0641\u0635\u0644\u0629 \u0648\u0641\u0642\u064b\u0627 \u0644\u0644\u0627\u0635\u0637\u0644\u0627\u062d \u0625\u0630\u0627 \u0643\u0646\u062a \u0628\u062d\u0627\u062c\u0629 \u0644\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0641\u064a \u0633\u062c\u0644 \u0645\u062e\u062a\u0644\u0641 (\u0645\u062b\u0644 \u0645\u062e\u0632\u0646 \u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0645\u062e\u0635\u0635)\u060c \u064a\u0645\u0643\u0646\u0643 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u062a\u063a\u064a\u0631 \u0627\u0644\u0628\u064a\u0626\u0629 \u062a\u064f\u062b\u0628\u062a \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0645\u064e\u0646<\/em> \u0628\u0646\u0649 \u0627\u0644\u0635\u0648\u0631\u0629. \u0623\u0645\u0627 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a (attestations) \u0641\u062a\u0630\u0647\u0628 \u0623\u0628\u0639\u062f \u0645\u0646 \u0630\u0644\u0643 \u2014 \u062a\u064f\u062b\u0628\u062a \u0643\u064a\u0641<\/em> \u0628\u064f\u0646\u064a\u062a \u0648\u0645\u0627\u0630\u0627<\/em> \u062a\u062d\u062a\u0648\u064a. \u064a\u062f\u0639\u0645 Cosign \u0625\u0631\u0641\u0627\u0642 \u0628\u064a\u0627\u0646\u0627\u062a \u0648\u0635\u0641\u064a\u0629 \u0645\u0646\u0638\u0645\u0629 \u0628\u0627\u0644\u0635\u0648\u0631 \u0641\u064a \u0634\u0643\u0644 \u0634\u0647\u0627\u062f\u0627\u062a in-toto.<\/p>\n \u064a\u0635\u0641 \u0625\u062b\u0628\u0627\u062a \u0645\u0635\u062f\u0631 SLSA (Supply-chain Levels for Software Artifacts) \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621: \u0645\u0627 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u060c \u0645\u0627 \u0627\u0644\u0645\u064f\u0646\u0634\u0626 \u0627\u0644\u0630\u064a \u0639\u0645\u0644\u060c \u0645\u0627 \u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u064a \u0646\u064f\u0641\u0650\u0651\u0630\u062a. \u064a\u0645\u0643\u0646\u0643 \u0625\u0631\u0641\u0627\u0642 \u0634\u0647\u0627\u062f\u0629 \u0625\u062b\u0628\u0627\u062a \u0645\u0635\u062f\u0631 SLSA \u0628\u0627\u0644\u0635\u0648\u0631\u0629:<\/p>\n \u0641\u064a \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0629 \u0627\u0644\u0639\u0645\u0644\u064a\u0629\u060c \u0633\u062a\u0633\u062a\u062e\u062f\u0645 \u0645\u064f\u0648\u0644\u0650\u0651\u062f SLSA (\u0645\u062b\u0644 \u0642\u0627\u0626\u0645\u0629 \u0645\u0643\u0648\u0646\u0627\u062a \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a (SBOM) \u062a\u0633\u0631\u062f \u0643\u0644 \u0645\u0643\u0648\u0646 \u062f\u0627\u062e\u0644 \u0635\u0648\u0631\u0629 \u0627\u0644\u062d\u0627\u0648\u064a\u0629. \u064a\u0645\u0643\u0646 \u0644\u0640 Cosign \u0625\u0631\u0641\u0627\u0642 SBOM \u0628\u0627\u0644\u0635\u0648\u0631\u0629 \u062d\u062a\u0649 \u064a\u062a\u0645\u0643\u0646 \u0627\u0644\u0645\u0633\u062a\u0647\u0644\u0643\u0648\u0646 \u0645\u0646 \u0641\u062d\u0635 \u0645\u062d\u062a\u0648\u064a\u0627\u062a\u0647\u0627:<\/p>\n \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643\u060c \u064a\u0645\u0643\u0646\u0643 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0623\u0645\u0631 \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0633\u062a\u0647\u0644\u0643\u064a\u0646 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u062a\u0645\u0627\u0645\u064b\u0627 \u0645\u062b\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a. \u064a\u062a\u062d\u0642\u0642 \u0623\u0645\u0631 \u064a\u0645\u0643\u0646\u0643 \u0623\u064a\u0636\u064b\u0627 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u062d\u0631\u0643\u0627\u062a \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0645\u062b\u0644 Kyverno \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0639\u0646\u062f \u0648\u0642\u062a \u0627\u0644\u0642\u0628\u0648\u0644\u060c \u0645\u0645\u0627 \u064a\u0636\u0645\u0646 \u0646\u0634\u0631 \u0627\u0644\u0635\u0648\u0631 \u0630\u0627\u062a \u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0635\u0627\u0644\u062d \u0623\u0648 SBOMs \u0641\u0642\u0637 \u0641\u064a \u0645\u062c\u0645\u0648\u0639\u0627\u062a\u0643.<\/p>\n \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0623\u062f\u0627\u0629 \u0642\u0648\u064a\u0629\u060c \u0644\u0643\u0646 \u0645\u0646 \u0627\u0644\u0645\u0647\u0645 \u0641\u0647\u0645 \u0645\u0627 \u064a\u062d\u0645\u064a \u0645\u0646\u0647 \u0648\u0645\u0627 \u0644\u0627 \u064a\u062d\u0645\u064a \u0645\u0646\u0647.<\/p>\n \u064a\u0639\u062a\u0645\u062f \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0639\u0644\u0649 \u0639\u062f\u0629 \u0627\u0641\u062a\u0631\u0627\u0636\u0627\u062a \u062b\u0642\u0629:<\/p>\n \u0644\u0644\u0645\u0646\u0638\u0645\u0627\u062a \u0630\u0627\u062a \u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0627\u0645\u062a\u062b\u0627\u0644 \u0627\u0644\u0635\u0627\u0631\u0645\u0629\u060c \u064a\u0648\u0641\u0631 \u062a\u0634\u063a\u064a\u0644 \u0628\u0646\u064a\u0629 Sigstore \u062a\u062d\u062a\u064a\u0629 \u062e\u0627\u0635\u0629 (\u062c\u0647\u0629 \u0625\u0635\u062f\u0627\u0631 \u0634\u0647\u0627\u062f\u0627\u062a Fulcio \u062e\u0627\u0635\u0629\u060c \u0633\u062c\u0644 Rekor \u062e\u0627\u0635) \u062a\u062d\u0643\u0645\u064b\u0627 \u0643\u0627\u0645\u0644\u0627\u064b \u0641\u064a \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062b\u0642\u0629.<\/p>\n \u0625\u0630\u0627 \u0627\u062e\u062a\u0631\u062a \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0645\u0628\u0646\u064a \u0639\u0644\u0649 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d:<\/p>\n \u064a\u064f\u0639\u062f\u0651 \u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Sigstore \u0648 Cosign \u0645\u0646 \u0623\u0643\u062b\u0631 \u0627\u0644\u062e\u0637\u0648\u0627\u062a \u062a\u0623\u062b\u064a\u0631\u064b\u0627 \u0627\u0644\u062a\u064a \u064a\u0645\u0643\u0646\u0643 \u0627\u062a\u062e\u0627\u0630\u0647\u0627 \u0646\u062d\u0648 \u062a\u0623\u0645\u064a\u0646 \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a. \u0644\u0645 \u064a\u0639\u062f \u0627\u0644\u0623\u0645\u0631 \u0635\u0639\u0628\u064b\u0627\u060c \u0648\u0644\u0645 \u064a\u0639\u062f \u064a\u062a\u0637\u0644\u0628 \u062e\u0628\u0631\u0629 \u0639\u0645\u064a\u0642\u0629 \u0641\u064a \u0627\u0644\u062a\u0634\u0641\u064a\u0631\u060c \u0648\u0644\u0645 \u064a\u0639\u062f \u064a\u0633\u062a\u062f\u0639\u064a \u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629 \u0645\u0639\u0642\u062f\u0629 \u0644\u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d. \u0645\u0639 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d\u060c \u064a\u0645\u0643\u0646 \u0644\u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u062a\u0648\u0642\u064a\u0639 \u0643\u0644 \u0635\u0648\u0631\u0629 \u064a\u0646\u062a\u062c\u0647\u0627 \u0628\u062f\u0648\u0646 \u0623\u0633\u0631\u0627\u0631 \u0644\u0625\u062f\u0627\u0631\u062a\u0647\u0627 \u0648\u0628\u0642\u0627\u0628\u0644\u064a\u0629 \u062a\u062f\u0642\u064a\u0642 \u0643\u0627\u0645\u0644\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0633\u062c\u0644 \u0634\u0641\u0627\u0641\u064a\u0629 Rekor.<\/p>\n \u0644\u0643\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0647\u0648 \u0644\u0628\u0646\u0629 \u0628\u0646\u0627\u0621<\/strong> \u0648\u0644\u064a\u0633 \u062d\u0644\u0627\u064b \u0633\u062d\u0631\u064a\u064b\u0627. \u064a\u064f\u062c\u064a\u0628 \u0639\u0644\u0649 \u0633\u0624\u0627\u0644 \"\u0647\u0644 \u0623\u064f\u0646\u062a\u062c\u062a \u0647\u0630\u0647 \u0627\u0644\u0635\u0648\u0631\u0629 \u0628\u0648\u0627\u0633\u0637\u0629 \u0639\u0645\u0644\u064a\u0629 \u0645\u064f\u062e\u0648\u064e\u0651\u0644\u0629\u061f\" \u0644\u0627 \u064a\u064f\u062c\u064a\u0628 \u0639\u0644\u0649 \"\u0647\u0644 \u0647\u0630\u0647 \u0627\u0644\u0635\u0648\u0631\u0629 \u0622\u0645\u0646\u0629 \u0644\u0644\u062a\u0634\u063a\u064a\u0644\u061f\" \u062a\u062c\u0645\u0639 \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0629 \u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0628\u064a\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0648\u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0648\u062a\u0648\u0644\u064a\u062f SBOMs \u0648\u0625\u062b\u0628\u0627\u062a \u0645\u0635\u062f\u0631 SLSA \u0648\u0641\u0631\u0636 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0639\u0646\u062f \u0627\u0644\u0642\u0628\u0648\u0644 \u0648\u0645\u0631\u0627\u0642\u0628\u0629 \u0627\u0644\u0623\u0645\u0627\u0646 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0648\u0636\u0648\u0627\u0628\u0637 \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0635\u0627\u0631\u0645\u0629 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0627\u0644\u0645\u0635\u062f\u0631 \u0648\u0628\u0646\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062a\u062d\u062a\u064a\u0629.<\/p>\n \u0627\u0628\u062f\u0623 \u0628\u0625\u0636\u0627\u0641\u0629 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0646\u0627\u0636\u062c\u0629\u060c \u0648\u0627\u0644\u0645\u0646\u0638\u0648\u0645\u0629 \u062a\u0646\u0645\u0648\u060c \u0648\u062a\u0643\u0644\u0641\u0629 \u0639\u062f\u0645<\/em> \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0623\u0635\u0628\u062d\u062a \u0623\u0635\u0639\u0628 \u0641\u064a \u062a\u0628\u0631\u064a\u0631\u0647\u0627. \u0644\u0645 \u064a\u0639\u062f \u0627\u0644\u0633\u0624\u0627\u0644 \u0647\u0644 \u062a\u0648\u0642\u0650\u0651\u0639 \u0639\u0646\u0627\u0635\u0631\u0643 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u2014 \u0628\u0644 \u0643\u0645 \u0628\u0633\u0631\u0639\u0629 \u064a\u0645\u0643\u0646\u0643 \u062c\u0639\u0644\u0647 \u0627\u0644\u062e\u064a\u0627\u0631 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a.<\/p>\n","protected":false},"excerpt":{"rendered":" \u0645\u0642\u062f\u0645\u0629: \u0644\u0645\u0627\u0630\u0627 \u064a\u064f\u0639\u062f\u0651 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0623\u0645\u0631\u064b\u0627 \u0628\u0627\u0644\u063a \u0627\u0644\u0623\u0647\u0645\u064a\u0629 \u0641\u064a CI\/CD \u062a\u062a\u0645\u064a\u0632 \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u062a\u0633\u0644\u064a\u0645 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0627\u0644\u062d\u062f\u064a\u062b\u0629 \u0628\u0642\u062f\u0631\u0629 \u0641\u0627\u0626\u0642\u0629 \u0639\u0644\u0649 \u0628\u0646\u0627\u0621 \u0627\u0644\u0634\u0641\u0631\u0629 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0648\u0634\u062d\u0646\u0647\u0627 \u0628\u0633\u0631\u0639\u0629. \u0644\u0643\u0646 \u0627\u0644\u0633\u0631\u0639\u0629 \u062f\u0648\u0646 \u062b\u0642\u0629 \u062a\u0645\u062b\u0644 \u0645\u0633\u0624\u0648\u0644\u064a\u0629 \u062e\u0637\u064a\u0631\u0629. \u0628\u064a\u0646 \u0644\u062d\u0638\u0629 \u0625\u064a\u062f\u0627\u0639 \u0627\u0644\u0634\u0641\u0631\u0629 \u0627\u0644\u0645\u0635\u062f\u0631\u064a\u0629 \u0648\u0644\u062d\u0638\u0629 \u062a\u0634\u063a\u064a\u0644 \u0635\u0648\u0631\u0629 \u0627\u0644\u062d\u0627\u0648\u064a\u0629 \u0641\u064a \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c\u060c \u062a\u0648\u062c\u062f \u0641\u062c\u0648\u0629 \u2014 \u0641\u062c\u0648\u0629 \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u062d\u062f\u062b \u0641\u064a\u0647\u0627 \u062a\u0644\u0627\u0639\u0628 \u0623\u0648 \u0627\u0633\u062a\u0628\u062f\u0627\u0644 … \u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,27],"tags":[],"post_folder":[],"class_list":["post-777","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-software-supply-chain"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/777","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=777"}],"version-history":[{"count":1,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/777\/revisions"}],"predecessor-version":[{"id":780,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/777\/revisions\/780"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=777"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=777"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=777"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=777"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u0645\u0627 \u0647\u0648 Sigstore\u061f<\/h2>\n
Cosign<\/h3>\n
Fulcio<\/h3>\n
Rekor<\/h3>\n
\u0643\u064a\u0641 \u064a\u062e\u062a\u0644\u0641 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d (Keyless Signing) \u0639\u0646 GPG<\/h3>\n
\n
\u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Cosign<\/h2>\n
\u062a\u062b\u0628\u064a\u062a Cosign<\/h3>\n
# macOS (Homebrew)\nbrew install cosign\n\n# Linux (Go install)\ngo install github.com\/sigstore\/cosign\/v2\/cmd\/cosign@latest\n\n# Linux (binary release)\ncurl -LO https:\/\/github.com\/sigstore\/cosign\/releases\/latest\/download\/cosign-linux-amd64\nchmod +x cosign-linux-amd64\nsudo mv cosign-linux-amd64 \/usr\/local\/bin\/cosign\n\n# Verify installation\ncosign version<\/code><\/pre>\n\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d<\/h3>\n
cosign generate-key-pair<\/code><\/pre>\ncosign.key<\/code> (\u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635\u060c \u0645\u062d\u0645\u064a \u0628\u0643\u0644\u0645\u0629 \u0645\u0631\u0648\u0631) \u0648cosign.pub<\/code> (\u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u0639\u0627\u0645). \u062e\u0632\u0650\u0651\u0646 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635 \u0628\u0634\u0643\u0644 \u0622\u0645\u0646 \u2014 \u0641\u064a \u0645\u062f\u064a\u0631 \u0623\u0633\u0631\u0627\u0631 \u0623\u0648 HSM \u0623\u0648 \u062e\u0632\u0646\u0629 \u0645\u0634\u0641\u0631\u0629.<\/p>\n# Sign an image by its digest (always prefer digest over tag)\ncosign sign --key cosign.key ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\n\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d (Keyless Signing) \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0647\u0648\u064a\u0629 OIDC<\/h3>\n
# Keyless signing (interactive \u2014 opens browser for OIDC login)\ncosign sign ghcr.io\/myorg\/myapp@sha256:abc123...\n\n# Keyless signing (non-interactive, for CI\/CD)\n# The --yes flag skips the confirmation prompt\ncosign sign --yes ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\n\u0645\u0627 \u064a\u062d\u062f\u062b \u062e\u0644\u0641 \u0627\u0644\u0643\u0648\u0627\u0644\u064a\u0633<\/h3>\n
cosign sign --yes<\/code> \u0641\u064a \u0648\u0636\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d\u060c \u064a\u062d\u062f\u062b \u0627\u0644\u062a\u0633\u0644\u0633\u0644 \u0627\u0644\u062a\u0627\u0644\u064a:<\/p>\n\n
\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a<\/h2>\n
\u0627\u0644\u062a\u062d\u0642\u0642 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u0641\u062a\u0627\u062d \u0639\u0627\u0645<\/h3>\n
cosign verify --key cosign.pub ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\n\u0627\u0644\u062a\u062d\u0642\u0642 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d (Keyless Verification)<\/h3>\n
# Verify that a specific GitHub Actions workflow signed the image\ncosign verify \\\n --certificate-identity \"https:\/\/github.com\/myorg\/myapp\/.github\/workflows\/release.yml@refs\/heads\/main\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\n\n
--certificate-identity<\/code> \u0627\u0644\u0645\u062d\u062f\u062f.<\/li>\n--certificate-oidc-issuer<\/code>.<\/li>\ncosign verify \\\n --certificate-identity-regexp \"https:\/\/github.com\/myorg\/.*\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\n\u0641\u0631\u0636 \u0627\u0644\u062a\u062d\u0642\u0642 \u0641\u064a \u0648\u062d\u062f\u0627\u062a \u0627\u0644\u062a\u062d\u0643\u0645 \u0628\u0627\u0644\u0642\u0628\u0648\u0644 (Admission Controllers)<\/h3>\n
apiVersion: kyverno.io\/v1\nkind: ClusterPolicy\nmetadata:\n name: verify-image-signatures\nspec:\n validationFailureAction: Enforce\n background: false\n rules:\n - name: verify-cosign-signature\n match:\n any:\n - resources:\n kinds:\n - Pod\n verifyImages:\n - imageReferences:\n - \"ghcr.io\/myorg\/*\"\n attestors:\n - entries:\n - keyless:\n subject: \"https:\/\/github.com\/myorg\/myapp\/.github\/workflows\/release.yml@refs\/heads\/main\"\n issuer: \"https:\/\/token.actions.githubusercontent.com\"\n rekor:\n url: https:\/\/rekor.sigstore.dev<\/code><\/pre>\napiVersion: policy.sigstore.dev\/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n name: require-signed-images\nspec:\n images:\n - glob: \"ghcr.io\/myorg\/**\"\n authorities:\n - keyless:\n identities:\n - issuer: \"https:\/\/token.actions.githubusercontent.com\"\n subject: \"https:\/\/github.com\/myorg\/myapp\/.github\/workflows\/release.yml@refs\/heads\/main\"\n ctlog:\n url: https:\/\/rekor.sigstore.dev<\/code><\/pre>\n\u062f\u0645\u062c \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0641\u064a \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD<\/h2>\n
GitHub Actions \u0645\u0639 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d<\/h3>\n
name: Build and Sign Container Image\n\non:\n push:\n branches: [main]\n\npermissions:\n contents: read\n packages: write\n id-token: write # Required for keyless signing\n\njobs:\n build-sign:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions\/checkout@v4\n\n - name: Set up Docker Buildx\n uses: docker\/setup-buildx-action@v3\n\n - name: Log in to GHCR\n uses: docker\/login-action@v3\n with:\n registry: ghcr.io\n username: ${{ github.actor }}\n password: ${{ secrets.GITHUB_TOKEN }}\n\n - name: Build and push image\n id: build\n uses: docker\/build-push-action@v6\n with:\n push: true\n tags: ghcr.io\/${{ github.repository }}:${{ github.sha }}\n\n - name: Install Cosign\n uses: sigstore\/cosign-installer@v3\n\n - name: Sign the image\n env:\n DIGEST: ${{ steps.build.outputs.digest }}\n run: |\n cosign sign --yes \\\n ghcr.io\/${{ github.repository }}@${DIGEST}<\/code><\/pre>\n\n
id-token: write<\/code> \u062a\u064f\u0641\u0639\u0650\u0651\u0644 \u0645\u0632\u0648\u062f OIDC \u0644\u0640 GitHub Actions\u060c \u0627\u0644\u0630\u064a \u064a\u0633\u062a\u062e\u062f\u0645\u0647 Cosign \u0644\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d.<\/li>\n\u0645\u062b\u0627\u0644 GitLab CI<\/h3>\n
stages:\n - build\n - sign\n\nvariables:\n IMAGE: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHORT_SHA}\n\nbuild:\n stage: build\n image: docker:24\n services:\n - docker:24-dind\n script:\n - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY\n - docker build -t $IMAGE .\n - docker push $IMAGE\n - echo \"DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE | cut -d@ -f2)\" >> build.env\n artifacts:\n reports:\n dotenv: build.env\n\nsign:\n stage: sign\n image: alpine:3.19\n id_tokens:\n SIGSTORE_ID_TOKEN:\n aud: sigstore\n before_script:\n - apk add --no-cache cosign\n script:\n - cosign sign --yes ${CI_REGISTRY_IMAGE}@${DIGEST}<\/code><\/pre>\nid_tokens<\/code> \u062a\u064f\u0648\u062c\u0650\u0651\u0647 GitLab \u0644\u062a\u0648\u0644\u064a\u062f \u0631\u0645\u0632 OIDC \u0628\u0627\u0644\u062c\u0645\u0647\u0648\u0631 sigstore<\/code>. \u064a\u0644\u062a\u0642\u0637 Cosign \u0627\u0644\u0631\u0645\u0632 \u0645\u0646 \u0645\u062a\u063a\u064a\u0631 \u0627\u0644\u0628\u064a\u0626\u0629 SIGSTORE_ID_TOKEN<\/code> \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627.<\/p>\n\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0641\u064a \u0633\u062c\u0644\u0627\u062a OCI<\/h3>\n
sha256-<digest>.sig<\/code>. \u0647\u0630\u0627 \u064a\u0639\u0646\u064a:<\/p>\n\n
COSIGN_REPOSITORY<\/code>:<\/p>\nexport COSIGN_REPOSITORY=ghcr.io\/myorg\/signatures\ncosign sign --yes ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\n\u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a (Attestations) \u0648\u0625\u0631\u0641\u0627\u0642 \u0642\u0648\u0627\u0626\u0645 \u0645\u0643\u0648\u0646\u0627\u062a \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a (SBOMs)<\/h2>\n
\u0625\u0631\u0641\u0627\u0642 \u0625\u062b\u0628\u0627\u062a \u0645\u0635\u062f\u0631 SLSA \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645
cosign attest<\/code><\/h3>\n# Create a provenance statement (simplified example)\ncat > provenance.json <<'EOF'\n{\n \"_type\": \"https:\/\/in-toto.io\/Statement\/v1\",\n \"subject\": [\n {\n \"name\": \"ghcr.io\/myorg\/myapp\",\n \"digest\": {\n \"sha256\": \"abc123...\"\n }\n }\n ],\n \"predicateType\": \"https:\/\/slsa.dev\/provenance\/v1\",\n \"predicate\": {\n \"buildDefinition\": {\n \"buildType\": \"https:\/\/github.com\/myorg\/myapp\/.github\/workflows\/release.yml\",\n \"resolvedDependencies\": [\n {\n \"uri\": \"git+https:\/\/github.com\/myorg\/myapp@refs\/heads\/main\",\n \"digest\": {\n \"sha1\": \"def456...\"\n }\n }\n ]\n },\n \"runDetails\": {\n \"builder\": {\n \"id\": \"https:\/\/github.com\/actions\/runner\"\n }\n }\n }\n}\nEOF\n\n# Attest the image with the provenance statement (keyless)\ncosign attest --yes \\\n --predicate provenance.json \\\n --type slsaprovenance \\\n ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\nslsa-github-generator<\/code>) \u0644\u0625\u0646\u062a\u0627\u062c \u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0645\u0635\u062f\u0631 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0635\u064a\u0627\u063a\u062a\u0647 \u064a\u062f\u0648\u064a\u064b\u0627.<\/p>\n\u0625\u0631\u0641\u0627\u0642 \u0642\u0648\u0627\u0626\u0645 \u0645\u0643\u0648\u0646\u0627\u062a \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a (SBOMs)<\/h3>\n
# Generate an SBOM using Syft\nsyft ghcr.io\/myorg\/myapp@sha256:abc123... -o spdx-json > sbom.spdx.json\n\n# Attach the SBOM as an attestation (recommended approach)\ncosign attest --yes \\\n --predicate sbom.spdx.json \\\n --type spdxjson \\\n ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\ncosign attach sbom<\/code> \u0627\u0644\u0623\u0642\u062f\u0645\u060c \u0631\u063a\u0645 \u0623\u0646 \u0646\u0647\u062c \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0645\u064f\u0641\u0636\u064e\u0651\u0644 \u0644\u0623\u0646\u0647 \u0645\u064f\u0648\u0642\u064e\u0651\u0639 \u0648\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u062d\u0642\u0642:<\/p>\n# Older approach (attached but not signed)\ncosign attach sbom --sbom sbom.spdx.json \\\n ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\n\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a (Attestations)<\/h3>\n
cosign verify-attestation<\/code> \u0645\u0646 \u0643\u0644 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0639\u0644\u0649 \u0627\u0644\u0634\u0647\u0627\u062f\u0629 \u0648\u0647\u0648\u064a\u0629 \u0627\u0644\u0645\u064f\u0648\u0642\u0650\u0651\u0639:<\/p>\n# Verify SLSA provenance attestation\ncosign verify-attestation \\\n --type slsaprovenance \\\n --certificate-identity \"https:\/\/github.com\/myorg\/myapp\/.github\/workflows\/release.yml@refs\/heads\/main\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/myorg\/myapp@sha256:abc123...\n\n# Verify SBOM attestation\ncosign verify-attestation \\\n --type spdxjson \\\n --certificate-identity \"https:\/\/github.com\/myorg\/myapp\/.github\/workflows\/release.yml@refs\/heads\/main\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/myorg\/myapp@sha256:abc123...<\/code><\/pre>\n\u0627\u0639\u062a\u0628\u0627\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0648\u0627\u0644\u0645\u0642\u0627\u064a\u0636\u0627\u062a<\/h2>\n
\u0645\u0627 \u064a\u062d\u0645\u064a \u0645\u0646\u0647 \u0627\u0644\u062a\u0648\u0642\u064a\u0639<\/h3>\n
\n
\u0645\u0627 \u0644\u0627 \u064a\u062d\u0645\u064a \u0645\u0646\u0647 \u0627\u0644\u062a\u0648\u0642\u064a\u0639<\/h3>\n
\n
\u0627\u0641\u062a\u0631\u0627\u0636\u0627\u062a \u0646\u0645\u0648\u0630\u062c \u0627\u0644\u062b\u0642\u0629<\/h3>\n
\n
\u0627\u0639\u062a\u0628\u0627\u0631\u0627\u062a \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d<\/h3>\n
\n
cosign sign --key awskms:\/\/\/arn:aws:kms:...<\/code><\/li>\n\u0627\u0644\u062e\u0644\u0627\u0635\u0629<\/h2>\n
cosign sign --yes<\/code> \u0625\u0644\u0649 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062e\u0627\u0635 \u0628\u0643. \u062b\u0645 \u0623\u0636\u0641 \u0627\u0644\u062a\u062d\u0642\u0642 \u0641\u064a \u0648\u062d\u062f\u0629 \u0627\u0644\u062a\u062d\u0643\u0645 \u0628\u0627\u0644\u0642\u0628\u0648\u0644. \u062b\u0645 \u0623\u0636\u0641 \u0637\u0628\u0642\u0629 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0648 SBOMs. \u0643\u0644 \u062e\u0637\u0648\u0629 \u062a\u064f\u0636\u064a\u0650\u0651\u0642 \u0627\u0644\u0641\u062c\u0648\u0629 \u0628\u064a\u0646 \u0628\u0646\u0627\u0621 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0648\u0627\u0644\u0648\u062b\u0648\u0642 \u0628\u0647\u0627.<\/p>\n