\u0641\u064a \u0643\u0644 \u0645\u0631\u0629 \u062a\u0633\u062d\u0628 \u0641\u064a\u0647\u0627 \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u0648\u062a\u0646\u0634\u0631\u0647\u0627 \u0641\u064a \u0628\u064a\u0626\u0629 \u0627\u0644\u0625\u0646\u062a\u0627\u062c\u060c \u0641\u0625\u0646\u0643 \u062a\u0645\u0646\u062d \u062b\u0642\u0629 \u0636\u0645\u0646\u064a\u0629 \u0644\u0647\u0630\u0627 \u0627\u0644\u0645\u064f\u062e\u0631\u064e\u062c. \u0644\u0643\u0646 \u0643\u064a\u0641 \u062a\u062a\u062d\u0642\u0642<\/em> \u0645\u0646 \u0623\u0646 \u0627\u0644\u0635\u0648\u0631\u0629 \u0644\u0645 \u064a\u062a\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0647\u0627\u061f \u0648\u0643\u064a\u0641 \u062a\u062a\u0623\u0643\u062f \u0623\u0646\u0647\u0627 \u0628\u064f\u0646\u064a\u062a \u0641\u0639\u0644\u0627\u064b \u0628\u0648\u0627\u0633\u0637\u0629 \u0645\u0633\u0627\u0631 CI\/CD \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0648\u0644\u064a\u0633 \u0645\u0646 \u0642\u0628\u0644 \u0645\u0647\u0627\u062c\u0645 \u0627\u062e\u062a\u0631\u0642 \u0633\u062c\u0644 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a\u061f<\/p>\n \u064a\u062d\u0644 \u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0647\u0630\u0647 \u0627\u0644\u0645\u0634\u0643\u0644\u0629 \u0639\u0646 \u0637\u0631\u064a\u0642 \u0625\u0631\u0641\u0627\u0642 \u062a\u0648\u0642\u064a\u0639 \u062a\u0634\u0641\u064a\u0631\u064a \u0628\u0635\u0648\u0631\u0643. \u0642\u0628\u0644 \u0627\u0644\u0646\u0634\u0631\u060c \u064a\u0645\u0643\u0646 \u0644\u0645\u064f\u0646\u0633\u0651\u0642 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0623\u0648 \u0648\u062d\u062f\u0629 \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0642\u0628\u0648\u0644 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0647\u0630\u0627 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u060c \u0645\u0645\u0627 \u064a\u0636\u0645\u0646 \u062f\u062e\u0648\u0644 \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0645\u0648\u062b\u0648\u0642\u0629 \u0648\u0627\u0644\u0645\u0635\u0627\u062f\u0642 \u0639\u0644\u064a\u0647\u0627 \u0641\u0642\u0637 \u0625\u0644\u0649 \u0628\u064a\u0626\u062a\u0643. \u064a\u064f\u0639\u062f\u0651 \u0647\u0630\u0627 \u0631\u0643\u064a\u0632\u0629 \u0623\u0633\u0627\u0633\u064a\u0629 \u0644\u0640\u0623\u0645\u0646 \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a<\/strong> \u0648\u0645\u062a\u0637\u0644\u0628\u064b\u0627 \u0641\u064a \u0623\u064f\u0637\u0631 \u0639\u0645\u0644 \u0645\u062b\u0644 SLSA<\/a> \u0648NIST SSDF<\/a>.<\/p>\n \u0644\u0643\u0646 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0644\u064a\u0633\u062a \u0645\u062a\u0633\u0627\u0648\u064a\u0629. \u0627\u0644\u0623\u0633\u0627\u0644\u064a\u0628 \u0627\u0644\u062b\u0644\u0627\u062b\u0629 \u0627\u0644\u0633\u0627\u0626\u062f\u0629 \u0627\u0644\u064a\u0648\u0645 \u2014 Cosign<\/strong> (\u062c\u0632\u0621 \u0645\u0646 \u0645\u0634\u0631\u0648\u0639 Sigstore)\u060c \u0648Notation<\/strong> (\u0639\u0645\u064a\u0644 Notary v2)\u060c \u0648GPG<\/strong> (\u0627\u0644\u0623\u0633\u0644\u0648\u0628 \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a) \u2014 \u062a\u0623\u062a\u064a \u0643\u0644 \u0645\u0646\u0647\u0627 \u0628\u0645\u0642\u0627\u064a\u0636\u0627\u062a \u0645\u062e\u062a\u0644\u0641\u0629 \u062c\u0630\u0631\u064a\u064b\u0627 \u0641\u064a \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d\u060c \u0648\u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0645\u0639 CI\/CD\u060c \u0648\u0627\u0644\u062a\u0648\u0627\u0641\u0642 \u0645\u0639 \u0627\u0644\u0646\u0638\u0627\u0645 \u0627\u0644\u0628\u064a\u0626\u064a.<\/p>\n \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644\u060c \u0633\u0646\u064f\u062c\u0631\u064a \u0645\u0642\u0627\u0631\u0646\u0629 \u0639\u0645\u0644\u064a\u0629 \u0648\u0645\u0639\u0645\u0651\u0642\u0629 \u0628\u064a\u0646 \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u062b\u0644\u0627\u062b \u062d\u062a\u0649 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0627\u062a\u062e\u0627\u0630 \u0627\u0644\u0642\u0631\u0627\u0631 \u0627\u0644\u0635\u062d\u064a\u062d \u0644\u0645\u0633\u0627\u0631\u0627\u062a \u0639\u0645\u0644\u0643.<\/p>\n Cosign \u0647\u064a \u0623\u062f\u0627\u0629 \u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0645\u0646 \u0645\u0634\u0631\u0648\u0639 Sigstore<\/a>\u060c \u0648\u0647\u0648 \u0627\u0644\u0622\u0646 \u0645\u0634\u0631\u0648\u0639 \u0645\u062a\u062e\u0631\u0651\u062c \u062a\u062d\u062a \u0645\u0624\u0633\u0633\u0629 Linux Foundation. \u0645\u0647\u0645\u0629 Sigstore \u0647\u064a \u062c\u0639\u0644 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0634\u0627\u0626\u0639\u064b\u0627 \u0639\u0628\u0631 \u0625\u0632\u0627\u0644\u0629 \u0623\u0643\u0628\u0631 \u0639\u0627\u0626\u0642: \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d<\/strong>.<\/p>\n \u064a\u064f\u062e\u0632\u0651\u0646 Cosign \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0643\u0645\u064f\u062e\u0631\u062c\u0627\u062a OCI \u0645\u0628\u0627\u0634\u0631\u0629 \u0628\u062c\u0627\u0646\u0628 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0645\u0648\u0642\u0651\u0639\u0629 \u0641\u064a \u0646\u0641\u0633 \u0627\u0644\u0633\u062c\u0644. \u0648\u0647\u0630\u0627 \u064a\u0639\u0646\u064a \u0623\u0646\u0647 \u0644\u0627 \u064a\u0648\u062c\u062f \u0646\u0638\u0627\u0645 \u062a\u062e\u0632\u064a\u0646 \u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0645\u0646\u0641\u0635\u0644 \u064a\u062c\u0628 \u0635\u064a\u0627\u0646\u062a\u0647 \u2014 \u0641\u0633\u062c\u0644 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0627\u0644\u062d\u0627\u0644\u064a (Docker Hub\u060c GitHub Container Registry\u060c AWS ECR\u060c Google Artifact Registry\u060c \u0625\u0644\u062e) \u064a\u0624\u062f\u064a \u062f\u0648\u0631\u064b\u0627 \u0645\u0632\u062f\u0648\u062c\u064b\u0627.<\/p>\n \u0627\u0644\u0645\u064a\u0632\u0629 \u0627\u0644\u0623\u0643\u062b\u0631 \u062b\u0648\u0631\u064a\u0629 \u0641\u064a Cosign \u0647\u064a \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d<\/strong>. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0625\u062f\u0627\u0631\u0629 \u0645\u0641\u0627\u062a\u064a\u062d \u062a\u0648\u0642\u064a\u0639 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0623\u0645\u062f\u060c \u064a\u062a\u0643\u0627\u0645\u0644 Cosign \u0645\u0639 \u062e\u062f\u0645\u062a\u064a\u0646:<\/p>\n \u0645\u0639 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d\u060c \u064a\u0628\u062f\u0648 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0643\u0627\u0644\u062a\u0627\u0644\u064a:<\/p>\n \u064a\u064f\u0632\u064a\u0644 \u0647\u0630\u0627 \u0641\u0626\u0629 \u0643\u0627\u0645\u0644\u0629 \u0645\u0646 \u0627\u0644\u0645\u0634\u0627\u0643\u0644 \u0627\u0644\u0645\u062a\u0639\u0644\u0642\u0629 \u0628\u062a\u062f\u0648\u064a\u0631 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0648\u062a\u062e\u0632\u064a\u0646\u0647\u0627 \u0648\u0627\u062e\u062a\u0631\u0627\u0642\u0647\u0627. \u0644\u0627 \u064a\u0648\u062c\u062f \u0633\u0631 \u0637\u0648\u064a\u0644 \u0627\u0644\u0623\u0645\u062f \u064a\u062c\u0628 \u062d\u0645\u0627\u064a\u062a\u0647.<\/p>\n \u064a\u062f\u0639\u0645 Cosign \u0623\u064a\u0636\u064b\u0627 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a \u0628\u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d \u0644\u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u062a\u064a \u0644\u0627 \u064a\u0643\u0648\u0646 \u0641\u064a\u0647\u0627 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0645\u0645\u0643\u0646\u064b\u0627 (\u0627\u0644\u0634\u0628\u0643\u0627\u062a \u0627\u0644\u0645\u0639\u0632\u0648\u0644\u0629\u060c \u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u062a\u0646\u0638\u064a\u0645\u064a\u0629 \u0644\u062d\u0641\u0638 \u0645\u0641\u0627\u062a\u064a\u062d \u0645\u062d\u062f\u062f\u0629). \u062a\u064f\u0646\u0634\u0626 \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0635\u0644\u0627\u062d\u064a\u0629 Notation<\/a> \u0647\u0648 \u0639\u0645\u064a\u0644 \u0633\u0637\u0631 \u0627\u0644\u0623\u0648\u0627\u0645\u0631 \u0644\u0645\u0648\u0627\u0635\u0641\u0629 Notary v2\u060c \u0648\u0647\u0648 \u0645\u0634\u0631\u0648\u0639 CNCF \u0645\u062f\u0639\u0648\u0645 \u0628\u0634\u0643\u0644 \u0623\u0633\u0627\u0633\u064a \u0645\u0646 Microsoft \u0648AWS. \u062d\u064a\u062b \u0635\u064f\u0645\u0645 Cosign \u062e\u0635\u064a\u0635\u064b\u0627 \u0644\u0646\u0638\u0627\u0645 Sigstore \u0627\u0644\u0628\u064a\u0626\u064a\u060c \u0635\u064f\u0645\u0645 Notation \u0644\u0644\u062a\u0643\u0627\u0645\u0644 \u0645\u0639 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0644\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u0639\u0627\u0645\u0629 (PKI) \u0627\u0644\u0645\u0624\u0633\u0633\u064a\u0629 \u0648\u0633\u064a\u0631 \u0639\u0645\u0644 \u0634\u0647\u0627\u062f\u0627\u062a X.509 \u0627\u0644\u062d\u0627\u0644\u064a\u0629.<\/p>\n \u064a\u0633\u062a\u062e\u062f\u0645 Notation \u062a\u0648\u0642\u064a\u0639\u0627\u062a COSE (CBOR Object Signing and Encryption)<\/strong> \u0627\u0644\u0645\u064f\u062e\u0632\u0651\u0646\u0629 \u0643\u0645\u064f\u062e\u0631\u062c\u0627\u062a OCI \u0645\u0631\u0641\u0642\u0629 \u0628\u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0645\u0648\u0642\u0651\u0639\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u0648\u0627\u0635\u0641\u0629 ORAS<\/a> (OCI Registry As Storage). \u0645\u062b\u0644 Cosign\u060c \u064a\u0639\u0646\u064a \u0647\u0630\u0627 \u0623\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u062a\u0639\u064a\u0634 \u0641\u064a \u0633\u062c\u0644 OCI \u0628\u062c\u0627\u0646\u0628 \u0627\u0644\u0635\u0648\u0631.<\/p>\n \u064a\u0633\u062a\u062e\u062f\u0645 Notation \u0628\u0646\u064a\u0629 \u0625\u0636\u0627\u0641\u0627\u062a \u0644\u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u062a\u0639\u0627\u0645\u0644 \u0645\u0639 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0645\u0628\u0627\u0634\u0631\u0629\u060c \u064a\u064f\u0641\u0648\u0651\u0636 \u0627\u0644\u0623\u0645\u0631 \u0625\u0644\u0649 \u0625\u0636\u0627\u0641\u0627\u062a \u062a\u062a\u0648\u0627\u0635\u0644 \u0645\u0639 \u062e\u0632\u0627\u0626\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u062e\u0627\u0631\u062c\u064a\u0629:<\/p>\n \u0646\u0645\u0648\u0630\u062c \u0627\u0644\u0625\u0636\u0627\u0641\u0627\u062a \u0647\u0630\u0627 \u0645\u0646\u0627\u0633\u0628 \u0628\u0634\u0643\u0644 \u0637\u0628\u064a\u0639\u064a \u0644\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0627\u0644\u062a\u064a \u0644\u062f\u064a\u0647\u0627 \u0628\u0627\u0644\u0641\u0639\u0644 \u0625\u062f\u0627\u0631\u0629 \u0645\u0641\u0627\u062a\u064a\u062d \u0645\u0631\u0643\u0632\u064a\u0629 \u0648\u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629 PKI. \u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0644\u0627 \u064a\u063a\u0627\u062f\u0631 \u0623\u0628\u062f\u064b\u0627 HSM \u0623\u0648 KMS \u0627\u0644\u0633\u062d\u0627\u0628\u064a \u2014 \u064a\u064f\u0631\u0633\u0644 Notation \u0627\u0644\u0645\u0644\u062e\u0635 \u0625\u0644\u0649 \u0627\u0644\u0625\u0636\u0627\u0641\u0629\u060c \u0648\u062a\u064f\u0639\u064a\u062f \u0627\u0644\u0625\u0636\u0627\u0641\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639.<\/p>\n \u064a\u0633\u062a\u062e\u062f\u0645 Notation \u0646\u0638\u0627\u0645 \u0633\u064a\u0627\u0633\u0629 \u062b\u0642\u0629<\/strong> \u0642\u0627\u0626\u0645 \u0639\u0644\u0649 JSON \u0644\u0644\u062a\u062d\u0642\u0642. \u062a\u064f\u062d\u062f\u062f \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0648\u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0648\u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u062a\u064a \u062a\u062b\u0642 \u0628\u0647\u0627 \u0648\u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0623\u0648 \u0633\u0644\u0627\u0633\u0644 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0627\u0644\u0645\u0635\u0631\u0651\u062d \u0644\u0647\u0627 \u0628\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0639\u0644\u064a\u0647\u0627. \u0647\u0630\u0627 \u0623\u0645\u0631 \u0642\u0648\u064a \u0644\u0633\u064a\u0646\u0627\u0631\u064a\u0648\u0647\u0627\u062a \u0627\u0644\u062d\u0648\u0643\u0645\u0629 \u0627\u0644\u0645\u0624\u0633\u0633\u064a\u0629 \u062d\u064a\u062b \u064a\u0643\u0648\u0646 \u0644\u062f\u0649 \u0627\u0644\u0641\u0631\u0642 \u0627\u0644\u0645\u062e\u062a\u0644\u0641\u0629 \u0633\u0644\u0637\u0627\u062a \u062a\u0648\u0642\u064a\u0639 \u0645\u062e\u062a\u0644\u0641\u0629.<\/p>\n GPG (GNU Privacy Guard) \u0647\u0648 \u0627\u0644\u0645\u062e\u0636\u0631\u0645 \u0641\u064a \u0639\u0627\u0644\u0645 \u0627\u0644\u062a\u0648\u0642\u064a\u0639. \u0642\u0628\u0644 \u0648\u0642\u062a \u0637\u0648\u064a\u0644 \u0645\u0646 \u0648\u062c\u0648\u062f \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0623\u0635\u0644\u064a\u0629 \u0644\u0644\u062d\u0627\u0648\u064a\u0627\u062a\u060c \u0643\u0627\u0646 GPG \u064a\u064f\u0633\u062a\u062e\u062f\u0645 \u0644\u062a\u0648\u0642\u064a\u0639 \u0643\u0644 \u0634\u064a\u0621 \u0645\u0646 \u0627\u0644\u0628\u0631\u064a\u062f \u0627\u0644\u0625\u0644\u0643\u062a\u0631\u0648\u0646\u064a \u0625\u0644\u0649 Git commits \u0625\u0644\u0649 \u062d\u0632\u0645 Linux. \u0644\u0627 \u062a\u0632\u0627\u0644 \u0628\u0639\u0636 \u0627\u0644\u0641\u0631\u0642 \u062a\u0633\u062a\u062e\u062f\u0645 GPG \u0644\u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a\u060c \u062e\u0627\u0635\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0623\u062f\u0648\u0627\u062a \u0645\u062b\u0644 Docker Content Trust (DCT) \u0623\u0648 \u0639\u0646 \u0637\u0631\u064a\u0642 \u062a\u0648\u0642\u064a\u0639 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0635\u0648\u0631 \u062e\u0627\u0631\u062c \u0627\u0644\u0646\u0637\u0627\u0642.<\/p>\n \u064a\u062a\u0628\u0639 \u062a\u0648\u0642\u064a\u0639 \u062d\u0627\u0648\u064a\u0627\u062a GPG \u0639\u0627\u062f\u0629\u064b \u0623\u062d\u062f \u0646\u0645\u0637\u064a\u0646:<\/p>\n \u064a\u0633\u062a\u062e\u062f\u0645 Docker Content Trust (DCT) \u0623\u0633\u0644\u0648\u0628\u064b\u0627 \u0645\u0631\u062a\u0628\u0637\u064b\u0627 \u0648\u0644\u0643\u0646 \u0645\u0645\u064a\u0632\u064b\u0627 \u064a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 The Update Framework (TUF)\u060c \u0645\u0639 Notary v1 \u0643\u0648\u0627\u062c\u0647\u0629 \u062e\u0644\u0641\u064a\u0629. \u0628\u064a\u0646\u0645\u0627 \u064a\u0633\u062a\u062e\u062f\u0645 DCT \u0628\u062f\u0627\u0626\u064a\u0627\u062a \u062a\u0634\u0641\u064a\u0631\u064a\u0629 \u0645\u062e\u062a\u0644\u0641\u0629 \u0639\u0646 GPG \u0627\u0644\u062e\u0627\u0645\u060c \u0641\u0625\u0646\u0647 \u064a\u0634\u062a\u0631\u0643 \u0641\u064a \u0646\u0641\u0633 \u0627\u0644\u062a\u062d\u062f\u064a \u0627\u0644\u0623\u0633\u0627\u0633\u064a: \u0625\u062f\u0627\u0631\u0629 \u0645\u0641\u0627\u062a\u064a\u062d \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0623\u0645\u062f.<\/p>\n \u0623\u0643\u0628\u0631 \u0646\u0642\u0637\u0629 \u0636\u0639\u0641 \u0641\u064a GPG \u0641\u064a \u0633\u064a\u0627\u0642 CI\/CD \u0647\u064a \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d:<\/p>\n \u0644\u0627\u062d\u0638 \u0643\u064a\u0641 \u064a\u062c\u0628 \u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635 \u0643\u0633\u0631 CI\/CD \u0648\u062d\u0642\u0646\u0647 \u0641\u064a \u0648\u0642\u062a \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u2014 \u0648\u0647\u0630\u0627 \u0628\u0627\u0644\u0636\u0628\u0637 \u0646\u0648\u0639 \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0623\u0645\u062f \u0627\u0644\u0630\u064a \u0635\u064f\u0645\u0645 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0644\u0644\u062a\u062e\u0644\u0635 \u0645\u0646\u0647.<\/p>\nCosign \u0648\u0646\u0638\u0627\u0645 Sigstore \u0627\u0644\u0628\u064a\u0626\u064a<\/h2>\n
\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629<\/h3>\n
\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0645\u0639 Fulcio \u0648Rekor<\/h3>\n
\n
\n
\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0642\u0627\u0626\u0645 \u0639\u0644\u0649 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d<\/h3>\n
cosign generate-key-pair<\/code> \u0648\u062a\u0648\u0642\u0651\u0639 \u0628\u0640 cosign sign --key cosign.key<\/code>.<\/p>\n\u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0645\u0639 CI\/CD: GitHub Actions<\/h3>\n
# .github\/workflows\/sign.yml\njobs:\n sign:\n runs-on: ubuntu-latest\n permissions:\n id-token: write # Required for keyless signing\n packages: write # Required to push signatures to GHCR\n steps:\n - uses: sigstore\/cosign-installer@v3\n\n - name: Sign the container image (keyless)\n env:\n COSIGN_EXPERIMENTAL: 1\n run: |\n cosign sign --yes ghcr.io\/myorg\/myapp@sha256:abc123...\n\n - name: Verify the signature\n run: |\n cosign verify \\\n --certificate-oidc-issuer https:\/\/token.actions.githubusercontent.com \\\n --certificate-identity-regexp https:\/\/github.com\/myorg\/myapp\/.github\/workflows\/* \\\n ghcr.io\/myorg\/myapp@sha256:abc123...\n<\/code><\/pre>\nid-token: write<\/code> \u0647\u064a \u0627\u0644\u0639\u0646\u0635\u0631 \u0627\u0644\u062d\u0627\u0633\u0645 \u2014 \u0641\u0647\u064a \u062a\u0633\u0645\u062d \u0644\u0640 GitHub Actions \u0628\u0625\u0635\u062f\u0627\u0631 \u0631\u0645\u0632 OIDC \u0627\u0644\u0630\u064a \u064a\u0633\u062a\u062e\u062f\u0645\u0647 Fulcio \u0644\u0625\u0635\u062f\u0627\u0631 \u0634\u0647\u0627\u062f\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639. \u0644\u0627 \u0623\u0633\u0631\u0627\u0631 \u0644\u0644\u062a\u0647\u064a\u0626\u0629\u060c \u0648\u0644\u0627 \u0645\u0641\u0627\u062a\u064a\u062d \u0644\u0644\u062a\u062e\u0632\u064a\u0646. \u0644\u0644\u0627\u0637\u0644\u0627\u0639 \u0639\u0644\u0649 \u0634\u0631\u062d \u0639\u0645\u0644\u064a \u062a\u0641\u0635\u064a\u0644\u064a\u060c \u0631\u0627\u062c\u0639 \u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Cosign<\/a>.<\/p>\n\u0646\u0642\u0627\u0637 \u0627\u0644\u0642\u0648\u0629<\/h3>\n
\n
\u0627\u0644\u0642\u064a\u0648\u062f<\/h3>\n
\n
Notation \u0648Notary v2<\/h2>\n
\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629<\/h3>\n
\u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0639\u0628\u0631 \u0627\u0644\u0625\u0636\u0627\u0641\u0627\u062a<\/h3>\n
\n
\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062b\u0642\u0629 \u0648\u0645\u062e\u0627\u0632\u0646 \u0627\u0644\u062b\u0642\u0629<\/h3>\n
\/\/ trustpolicy.json\n{\n \"version\": \"1.0\",\n \"trustPolicies\": [\n {\n \"name\": \"production-images\",\n \"registryScopes\": [\"registry.example.com\/prod\/*\"],\n \"signatureVerification\": {\n \"level\": \"strict\"\n },\n \"trustStores\": [\"ca:production-ca\"],\n \"trustedIdentities\": [\"x509.subject: CN=prod-signer, O=MyOrg\"]\n }\n ]\n}\n<\/code><\/pre>\n\u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0645\u0639 CI\/CD: GitHub Actions \u0645\u0639 AWS Signer<\/h3>\n
# .github\/workflows\/notation-sign.yml\njobs:\n sign:\n runs-on: ubuntu-latest\n permissions:\n id-token: write # For AWS OIDC federation\n steps:\n - name: Configure AWS credentials\n uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role\/signer-role\n aws-region: us-east-1\n\n - name: Setup Notation\n uses: notaryproject\/notation-action\/setup@v1\n\n - name: Install AWS Signer plugin\n run: |\n notation plugin install \\\n --url https:\/\/d2hvyiie56hcat.cloudfront.net\/linux\/amd64\/plugin\/latest\/notation-aws-signer-plugin.zip\n\n - name: Sign the container image\n run: |\n notation sign \\\n --plugin com.amazonaws.signer.notation.plugin \\\n --id arn:aws:signer:us-east-1:123456789012:\/signing-profiles\/MyProfile \\\n registry.example.com\/myapp@sha256:abc123...\n<\/code><\/pre>\n\u0646\u0642\u0627\u0637 \u0627\u0644\u0642\u0648\u0629<\/h3>\n
\n
\u0627\u0644\u0642\u064a\u0648\u062f<\/h3>\n
\n
GPG: \u0627\u0644\u0623\u0633\u0644\u0648\u0628 \u0627\u0644\u062a\u0642\u0644\u064a\u062f\u064a<\/h2>\n
\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629<\/h3>\n
\u0643\u064a\u0641 \u064a\u0639\u0645\u0644 \u062a\u0648\u0642\u064a\u0639 GPG \u0644\u0644\u062d\u0627\u0648\u064a\u0627\u062a<\/h3>\n
\n
gpg --detach-sign<\/code>\u060c \u0648\u062a\u062e\u0632\u064a\u0646 \u0645\u0644\u0641 .sig<\/code> \u0628\u062c\u0627\u0646\u0628 \u0627\u0644\u0635\u0648\u0631\u0629 (\u0641\u064a \u0645\u062e\u0632\u0646 \u0645\u064f\u062e\u0631\u062c\u0627\u062a \u0645\u0646\u0641\u0635\u0644\u060c \u0623\u0648 S3 bucket\u060c \u0623\u0648 \u0645\u0633\u062a\u0648\u062f\u0639 Git).<\/li>\n\/etc\/containers\/policy.json<\/code>).<\/li>\n<\/ul>\n\u062a\u062d\u062f\u064a\u0627\u062a \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d<\/h3>\n
\n
\u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0645\u0639 CI\/CD: GitLab CI \u0645\u0639 GPG<\/h3>\n
# .gitlab-ci.yml\nsign-image:\n stage: sign\n image: alpine:latest\n before_script:\n - apk add --no-cache gnupg skopeo\n - echo \"$GPG_PRIVATE_KEY\" | gpg --batch --import\n script:\n - skopeo copy \\\n --sign-by signing-key@myorg.com \\\n docker:\/\/registry.example.com\/myapp:${CI_COMMIT_SHORT_SHA} \\\n docker:\/\/registry.example.com\/myapp:${CI_COMMIT_SHORT_SHA}\n variables:\n GPG_PRIVATE_KEY: $GPG_SIGNING_KEY # Stored in CI\/CD variables\n<\/code><\/pre>\n\u0646\u0642\u0627\u0637 \u0627\u0644\u0642\u0648\u0629<\/h3>\n
\n
\u0627\u0644\u0642\u064a\u0648\u062f<\/h3>\n
\n
\u0645\u0642\u0627\u0631\u0646\u0629 \u062c\u0646\u0628\u064b\u0627 \u0625\u0644\u0649 \u062c\u0646\u0628<\/h2>\n