Signing & SBOM
Every Catalyst artifact ships with a cryptographic signature, an SBOM and SLSA provenance — no extra setup.
Enable signing
artifacts:
- id: web
type: oci-image
sign: cosign # keyless OIDC by default
sbom: true # generates SPDX SBOM
provenance: slsa-v1Verify a signature
cosign verify registry.catalyst.dev/web:2.4.1 \
--certificate-identity-regexp 'catalyst.dev'