Changelog
You can verify the signatures of both the checksums.txt file and the published docker images using cosign.
sha256sum -c goldilocks_v4.13.0_checksums.txt --ignore-missing
cosign verify-blob goldilocks_v4.13.0_checksums.txt --signature=goldilocks_v4.13.0_checksums.txt.sig --key https://artifacts.fairwinds.com/cosign.pub
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/goldilocks:v4 --key https://artifacts.fairwinds.com/cosign.pub