Elastic Stack container images signed with Sigstore!

Elastic Stack has enhanced its security measures by signing its container images with Sigstore, an OpenSSF project supported by companies like Chainguard, Red Hat, and Google, to safeguard against software supply chain attacks. This new feature allows Elastic users to verify the provenance of container images using a keyless signing workflow through cosign, a component of Sigstore. Elastic began signing its container images with version 8.8.0, and these images are available across several registries, including Elastic’s own, AWS ECR, and Docker Hub, with consistent digest values for verification. Although the Docker "Official Images" are not yet signed with the Elastic key, efforts are underway to support Sigstore cosign for these images. Elastic aims to transition to keyless signing for improved security and traceability in the future.