cosign

Generate a key-pair

$ cosign generate-key-pair

$ cosign sign -key [cosign.key] [image]

$ cosign sign -key k8s://[namespace]/[key] [image]

$ cosign sign-blob --key [cosign.key] [path/to/file]

$ cosign verify -key [cosign.pub] [image]

$ cosign dockerfile verify -key [cosign.pub] [path/to/Dockerfile]

$ cosign verify -key k8s://[namespace]/[key] [image]

$ cosign copy [example.com/src:latest] [example.com/dest:latest]

cosign [flags] [subcommand]

--certificate string
    Path to the certificate file to use for signing.

--certificate-chain string
    Path to the certificate chain file to use when signing with a certificate.

--key string
    Path to the private key file to use for signing.

--output string
    Output format for the signature (default "text").

--predicate string
    Path to the predicate file to use when signing with a attestation.

--rekor-url string
    URL of the Rekor instance to use for transparency log integration.

--rfc3161-timestamp-server string
    RFC3161 timestamp server endpoint to use.

--yes
    Answer yes to all prompts.

attach
    Subcommand to attach signatures or attestation to images.

attest
    Subcommand to sign with a attestation.

sign
    Subcommand to sign images.

verify
    Subcommand to verify signatures.

generate-key-pair
    Subcommand to generate a new key pair for signing.

public-key
    Subcommand to extract the public key from a key pair.

Cosign is a command-line tool for signing and verifying container images using keyless signing, software supply chain security, and transparency. It allows users to digitally sign container images, blobs, and other artifacts and store those signatures in a registry or other supported backend. Cosign leverages public key infrastructure (PKI) and transparency logs, like Rekor, to ensure the integrity and authenticity of signed artifacts.

It simplifies the process of attaching signatures and metadata to container images without requiring complex key management. Instead, Cosign often uses OIDC (OpenID Connect) tokens and cloud provider identities for authentication, enabling seamless integration with existing workflows and cloud environments. This helps in securing the software supply chain by ensuring only trusted and verified images are deployed.

Cosign requires access to a container registry and network connectivity to Rekor or other transparency logs.
Keyless signing relies on OIDC providers; misconfiguration can lead to signing failures.

Cosign's keyless signing feature allows you to sign artifacts without managing long-lived private keys. This is achieved by leveraging short-lived OIDC tokens issued by identity providers like Google, GitHub, or GitLab. The signatures are then stored in a transparency log to provide tamper-proof evidence of the signing process.

Cosign supports signing attestations, which are structured metadata about the artifact. These attestations can be used to convey information such as build provenance, security scan results, and compliance information.

Cosign was developed by Google and community contributors as part of the Sigstore project.
It aims to improve software supply chain security by providing a user-friendly way to sign and verify container images and other artifacts. The initial focus was on keyless signing to ease the adoption of digital signatures.
Cosign has evolved to include support for various signing methods, attestation, and integration with transparency logs like Rekor.

docker(1), podman(1), skopeo(1)