Changelog/Early access

Cloudsmith now automatically generates Cosign signatures for container images, simplifying image verification

Mar 6 2025

Cloudsmith will now automatically generate a Cosign signature when you upload a container image, eliminating the need for manual key management. This simplifies image signing, making it easier to implement image verification in your workflows.

How it works:
  • When an image is added to a Cloudsmith repository, Cloudsmith automatically signs it with the repository’s ECDSA private key.
  • Consumers can verify the image by downloading the corresponding repository ECDSA public key and using it for validation.
  • If you prefer, Cloudsmith also supports uploading your own Cosign signature using cosign sign.

Why this matters: Container image signing provides a number of key security benefits, chiefly the ability of image consumers to verify the identity that signed the image, and confirmation that the image contents have not been tampered with. With this improvement, images can be verified using your repository’s public key, helping to ensure only verified images are pulled and used.

Automatic Cosign signature generation is currently in early access, so contact us if you wish to enable this feature, or check out Docker and Cosign for more information.

Other logs

01/06
New

Better software artifact distribution with Broadcasts, now in early access

Cloudsmith customers can now create branded public repositories using our new distribution feature, Broadcasts. With Broadcasts, you can set up a custom domain, creating a single trusted place for users to access your software artifacts. Your users can discover packages, containers and SDKs, and download those artifacts right from the browser or pull them down using native tools like their IDE or CI/CD build systems.

Feb 21 2025
Deprecation

Upcoming changes for users of Dart packages

To ensure that Cloudsmith continues to provide a consistent and secure experience for users of Dart packages, from February 28th 2025 Cloudsmith will only support Dart SDK version 2.15 or greater. After this date, support for older versions of the Dart SDK will be dropped.

Feb 19 2025
New

Catch new vulnerabilities in your packages and images with recurring security scans

Ensuring your packages and container images remain secure over time can be challenging, especially as new vulnerabilities surface daily and can emerge long after a package is first introduced. With Cloudsmith, you can now set up recurring security scans of your packages and images to check for new vulnerabilities and use that updated information in Cloudsmith’s policy manager to notify users or quarantine the package.

Feb 10 2025
New

Dart upstreams now support caching

For customers who use Cloudsmith for Dart packages, Cloudsmith now supports caching from upstream repositories including pub.dev, the official package repository for Dart. This simplifies handling of public Dart packages and enables key improvements such as package vulnerability scanning to enhance and better secure your package workflows. Prior t…

Jan 31 2025
New

Automatically generate SBOMs for container images

Cloudsmith now automatically generates SBOMs during package synchronization of container images. This provides a CycloneDX format SBOM accessible via the API, and significantly quickens container image re-scan times. What are SBOMs? SBOMs (or Software Bill Of Materials) serve as an inventory of components comprising a software package. Based on a…

Jan 24 2025
New

Dart package security scanning

Cloudsmith has extended our support for security scanning to include Dart packages, helping customers who use Cloudsmith for Dart packages ship safe software. Cloudsmith’s security scanning checks for Common Vulnerabilities and Exposures (CVEs). Package vulnerability scanning is a key step in securing your software delivery pipelines, and using pa…

Jan 17 2025
Keep up to date with our monthly product bulletin

By submitting this form, you agree to our privacy policy