![Platform Security Series [Part 3]](/_next/image?url=https%3A%2F%2Fmedia.nemati.ai%2Fmedia%2Fblog%2Fimages%2Farticles%2Ffd753e68c62d49e7.webp&w=3840&q=75)
Key aspects of implementing supply chain security through cryptographic signatures in container images include transitioning from shared secrets to unique identities for each environment tier. Initially, teams used a single secret across all tiers, which posed significant risks if compromised. The solution involves creating distinct signing service connections per environment (development, UAT, production) and configuring Kyverno policies to enforce strict admission controls based on these cryptographic claims.
A critical step is ensuring that the OIDC token issued by Azure DevOps remains valid throughout the pipeline execution. This was addressed by moving the signing process into a dedicated job immediately after pushing the image, guaranteeing a fresh token for each signature operation. This structural change ensures that Fulcio validates the token within its freshness window.
Verification of cryptographic claims is crucial and can be performed via command-line tools like cosign. The output confirms that the image was signed by the correct service connection in the specified environment tier. For instance, verifying a production-signed image would show:
$ cosign verify \
--certificate-oidc-issuer "https://vstoken.dev.azure.com/a1b2c3d4-..." \
--certificate-identity "sc://my-organization/platform-services/prod-signing-connection" \
--rekor
[Read the full article at System Weakness - Medium](https://systemweakness.com/platform-security-series-part-3-4718903db33d?source=rss----f20a9840e177---4)
---
**Want to create content about this topic?** [Use Nemati AI tools](https://nemati.ai) to generate articles, social posts, and more.
![[AINews] The Unreasonable Effectiveness of Closing the Loop](/_next/image?url=https%3A%2F%2Fmedia.nemati.ai%2Fmedia%2Fblog%2Fimages%2Farticles%2F600e22851bc7453b.webp&w=3840&q=75)
