The use of version control systems, continuous integration (CI), container services, and other tools in software development has enabled developers to ship code more quickly and efficiently. However, as organizations expand their build and packaging ecosystems, they also increase the number of entry points for malicious code injections that can ultimately make their way to production environments. To mitigate this risk, organizations are implementing various systems to protect their cloud registries, network perimeter, and Kubernetes control plane. One solution is to establish cryptographic provenance for container images through signing and runtime verification. This process involves generating a unique signature for each container image as it is built in CI using a public key signing algorithm, then verifying these signatures downstream to ensure that the image has not been tampered with and is identical to the one that was originally built. Image signing can help protect against supply chain attacks by providing a guarantee of integrity for container images as they move through the software supply chain. The benefits of implementing image signing include protecting against supply chain attacks, ensuring the integrity of container images, and mitigating the risk of compromise within the software supply chain. However, there are considerations before adopting image signing, such as whether it is worth it for the organization, choosing a signature format, integrating signatures into existing CI configurations, and using an existing container runtime solution that natively supports signing and verification services.