cosign

TLDR

Sign container image (keyless)

$ cosign sign [registry/image@sha256:digest]

Sign with local key

$ cosign sign --key [cosign.key] [registry/image@sha256:digest]

Verify image signature (keyless)

$ cosign verify --certificate-identity=[email] --certificate-oidc-issuer=[issuer] [image]

Verify with public key

$ cosign verify --key [cosign.pub] [registry/image@sha256:digest]

Generate key pair

$ cosign generate-key-pair

Sign with annotation

$ cosign sign -a [key=value] [registry/image@sha256:digest]

Attach SBOM to image

$ cosign attach sbom --sbom [sbom.json] [registry/image@sha256:digest]

SYNOPSIS

cosign command [options] [arguments]

DESCRIPTION

cosign is Sigstore's tool for signing and verifying container images and software artifacts. It supports keyless signing using OIDC identity or traditional key-based signing.

PARAMETERS

--key path|uri

Key for signing/verification

--certificate path

Certificate for signing

--certificate-chain path

Certificate chain

--certificate-identity identity

Expected identity in certificate

--certificate-oidc-issuer issuer

Expected OIDC issuer

-a key=value

Add annotation to signature

COMMANDS

sign

Sign container image

verify

Verify image signature

generate-key-pair

Generate signing key pair

attach

Attach artifacts (SBOM, attestation) to image

download

Download signatures/artifacts

triangulate

Find signature location for image

copy

Copy signatures between images

clean

Remove signatures from image

KEYLESS SIGNING

Uses OIDC identity (GitHub, Google, etc.) with short-lived keys. Signatures recorded in transparency log.

KMS SUPPORT

Supports AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault via URI format.

CAVEATS

Always sign by digest (@sha256:...) not tag. Multiple signatures can be attached to one image. Keyless requires internet for OIDC flow.