cosign
Container image signing and verification tool
TLDR
Sign container image (keyless)
SYNOPSIS
cosign command [options] [arguments]
DESCRIPTION
cosign is Sigstore's tool for signing and verifying container images and software artifacts. It supports keyless signing using OIDC identity or traditional key-based signing, providing cryptographic guarantees about image authenticity and integrity.
The tool integrates with container registries to attach signatures and attestations as OCI artifacts. Keyless signing leverages short-lived certificates tied to identity providers like GitHub, Google, or Microsoft, eliminating the need to manage long-term signing keys. Signatures are recorded in Sigstore's transparency log (Rekor) for public verification and auditability.
cosign also handles SBOMs (Software Bill of Materials), attestations, and other metadata, enabling comprehensive supply chain security. It works with various key management systems including cloud providers' KMS services and hardware security modules.
PARAMETERS
--key path|uri
Key for signing/verification--certificate path
Certificate for signing--certificate-chain path
Certificate chain--certificate-identity identity
Expected identity in certificate--certificate-oidc-issuer issuer
Expected OIDC issuer-a key=value
Add annotation to signature
COMMANDS
sign
Sign container imageverify
Verify image signaturegenerate-key-pair
Generate signing key pairattach
Attach artifacts (SBOM, attestation) to imagedownload
Download signatures/artifactstriangulate
Find signature location for imagecopy
Copy signatures between imagesclean
Remove signatures from image
KEYLESS SIGNING
Uses OIDC identity (GitHub, Google, etc.) with short-lived keys. Signatures recorded in transparency log.
KMS SUPPORT
Supports AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault via URI format.
CAVEATS
Always sign by digest (@sha256:...) not tag. Multiple signatures can be attached to one image. Keyless requires internet for OIDC flow.