Signing and verifying OCI artifacts with Cosign and Zot

One of the first things I wanted from my registry workflow was a way to make unsigned artifacts feel incomplete. Cosign and Zot gave me a clean path to that. After a build finishes in Woodpecker, I sign the OCI image, attach the signature material, and push everything into Zot. Verification becomes a normal release step rather than a separate security exercise someone remembers later.

What I like about this pattern is its clarity. A developer can inspect an image, see its digest, verify its signature, and understand the provenance trail without needing a specialized platform team. That is important for smaller engineering groups and open source communities where security has to be taught in practical, repeatable steps. If the process is too abstract, it will not survive contact with real shipping pressure.

This is also the bridge between local infrastructure and community education. When I teach software supply chain concepts, artifact signing is one of the easiest places to show that modern security work is not only about detection. It is about establishing trust in the artifact itself, documenting that trust, and making verification cheap enough to happen every time.