Container adoption has surged in recent years, and with it the need to securely sign container images to protect against supply chain attacks. While signing standards and tooling have matured, the landscape can still be confusing for teams new to container image signing.

This post breaks down the major signing tools and standards, highlights the strengths and weaknesses of each, and provides best practices—especially for enterprises that require strong, hardware-backed key protection.

Signing Tools: An Evolving Landscape

Several tools and frameworks have shaped the container signing ecosystem. Each one brings trade-offs that security teams should understand.

Notary (Docker Content Trust)

The first widespread image signing tool was Notary, which was most notably used by Docker Content Trust to sign Docker and verify Docker images. Notary is based on The Update Framework (TUF), a flexible framework and specification for securing software update systems. However, Notary had a key limitation for enterprises: it lacked broad support for standard cryptographic interfaces such as PKCS#11.

While the root key could be stored in an HSM, other keys could not. This made proper enterprise key protection difficult and, for many organizations, a deal breaker.

Podman + GPG

The next popular signing tool was Podman, which makes use of GPG for signing. Podman took a different approach by using GPG for signing. While GPG’s security model is generally less robust than TUF’s, it does offer:

• Support for PKCS#11

• Mature integrations with hardware-backed cryptographic devices

For enterprises with strict key management requirements, this was a meaningful improvement—though it came at the cost of TUF’s stronger design principles.

Cosign

One of the tools currently gaining popularity very quickly is cosign. It has its own signature specification, although it looks to have plans to support TUF-based signatures in the future. For its key management, cosign supports a decent number of integrations. However, until recently the only generic way to integrate cosign with a cryptographic token was via cosign’s PIV integration, which was not useful for enterprises that wished to integrate with their own cryptographic devices or services. Luckily, that has all changed. With the new PKCS#11 integration that Garantir contributed to cosign, enterprises (and individuals) are able to integrate cosign with any cryptographic device or service.

Notation (Notary v2)

Another tool on the horizon is Notary’s successor, Notation (formerly known as nv2). Notation has its own signature format, but not much defined in terms of key management, and it looks as though only software-based keys are currently supported. 

We are hopeful that future releases of Notation will support a standard cryptographic interface such as PKCS#11 and look forward to working with the community to make that happen.

Signature Verification 

Signatures are only useful if they are verified. For container signing this is achieved in a couple different ways. 

Docker

For Docker, signature verification is disabled by default but can be enabled by setting an environment variable. 

Kubernetes

For Kubernetes, signature verification is often performed by an admission controller. Luckily, the work of writing an admission controller that does signature verification has already been done by the community. 

Two options are Connaisseur and Cosigned. Connaisseur supports Notary v1 and cosign signatures (with plans to support Notary v2 signatures in the future) while Cosigned focuses solely on cosign signatures.

The Importance of Key Management

Even the strongest signing frameworks offer limited value if the signing keys themselves are not protected.

For organizations producing widely used software—or targeting high-value users—compromised signing keys can be catastrophic, enabling attackers to:

• Publish malicious images

• Impersonate trusted maintainers

• Inject backdoors into production deployments

To avoid this, signing keys must be:

• Behind a hardware security module (HSM) or enterprise KMS

• Non-exportable

• Accessed only through secure, proxied signing workflows

This is why we’re proud to have contributed cosign’s PKCS#11 support—giving enterprises a highly secure, standards-based way to store and use their signing keys.

While enterprises can use it to integrate with any PKCS#11-compatible device or service, we recommend that users consider integrating it with GaraTrust, our secure signing platform.

Strengthen Your Container Signing Strategy

If you’d like to learn more about secure container signing, PKCS#11, or how to integrate your signing keys with GaraTrust, the Garantir team is here to help.

Get in touch with the Garantir team.