LinuxCommandLibrary

cosign

Sign and verify container images

TLDR

Generate a key-pair

$ cosign generate-key-pair
copy

Sign a container and store the signature in the registry
$ cosign sign -key [cosign.key] [image]
copy

Sign a container image with a key pair stored in a Kubernetes secret
$ cosign sign -key k8s://[namespace]/[key] [image]
copy

Sign a blob with a local key pair file
$ cosign sign-blob --key [cosign.key] [path/to/file]
copy

Verify a container against a public key
$ cosign verify -key [cosign.pub] [image]
copy

Verify images with a public key in a Dockerfile
$ cosign dockerfile verify -key [cosign.pub] [path/to/Dockerfile]
copy

Verify an image with a public key stored in a Kubernetes secret
$ cosign verify -key k8s://[namespace]/[key] [image]
copy

Copy a container image and its signatures
$ cosign copy [example.com/src:latest] [example.com/dest:latest]
copy

SYNOPSIS

cosign [flags] [subcommand]

PARAMETERS

--certificate string
    Path to the certificate file to use for signing.

--certificate-chain string
    Path to the certificate chain file to use when signing with a certificate.

--key string
    Path to the private key file to use for signing.

--output string
    Output format for the signature (default "text").

--predicate string
    Path to the predicate file to use when signing with a attestation.

--rekor-url string
    URL of the Rekor instance to use for transparency log integration.

--rfc3161-timestamp-server string
    RFC3161 timestamp server endpoint to use.

--yes
    Answer yes to all prompts.

attach
    Subcommand to attach signatures or attestation to images.

attest
    Subcommand to sign with a attestation.

sign
    Subcommand to sign images.

verify
    Subcommand to verify signatures.

generate-key-pair
    Subcommand to generate a new key pair for signing.

public-key
    Subcommand to extract the public key from a key pair.

DESCRIPTION

Cosign is a command-line tool for signing and verifying container images using keyless signing, software supply chain security, and transparency. It allows users to digitally sign container images, blobs, and other artifacts and store those signatures in a registry or other supported backend. Cosign leverages public key infrastructure (PKI) and transparency logs, like Rekor, to ensure the integrity and authenticity of signed artifacts.

It simplifies the process of attaching signatures and metadata to container images without requiring complex key management. Instead, Cosign often uses OIDC (OpenID Connect) tokens and cloud provider identities for authentication, enabling seamless integration with existing workflows and cloud environments. This helps in securing the software supply chain by ensuring only trusted and verified images are deployed.

CAVEATS

Cosign requires access to a container registry and network connectivity to Rekor or other transparency logs.
Keyless signing relies on OIDC providers; misconfiguration can lead to signing failures.

KEYLESS SIGNING

Cosign's keyless signing feature allows you to sign artifacts without managing long-lived private keys. This is achieved by leveraging short-lived OIDC tokens issued by identity providers like Google, GitHub, or GitLab. The signatures are then stored in a transparency log to provide tamper-proof evidence of the signing process.

ATTESTATION

Cosign supports signing attestations, which are structured metadata about the artifact. These attestations can be used to convey information such as build provenance, security scan results, and compliance information.

HISTORY

Cosign was developed by Google and community contributors as part of the Sigstore project.
It aims to improve software supply chain security by providing a user-friendly way to sign and verify container images and other artifacts. The initial focus was on keyless signing to ease the adoption of digital signatures.
Cosign has evolved to include support for various signing methods, attestation, and integration with transparency logs like Rekor.

SEE ALSO

docker(1), podman(1), skopeo(1)

Copied to clipboard