**Cosign:** Signs and verifies container images and other artifacts - **Fulcio:** Certificate authority that issues short-lived certificates based on OIDC identity (e.g., Google account, GitHub identity) - **Rekor:** Transparency log that records all signing events, enabling public verification and