LinuxCommandLibrary

cosign

Sign and verify container images

TLDR

Generate a key-pair

$ cosign generate-key-pair
copy

Sign a container and store the signature in the registry
$ cosign sign --key [cosign.key] [image]
copy

Sign a container image with a key pair stored in a Kubernetes secret
$ cosign sign --key k8s://[namespace]/[key] [image]
copy

Sign a blob with a local key pair file
$ cosign sign-blob --key [cosign.key] [path/to/file]
copy

Verify a container against a public key
$ cosign verify --key [cosign.pub] [image]
copy

Verify images with a public key in a Dockerfile
$ cosign dockerfile verify -key [cosign.pub] [path/to/Dockerfile]
copy

Verify an image with a public key stored in a Kubernetes secret
$ cosign verify --key k8s://[namespace]/[key] [image]
copy

Copy a container image and its signatures
$ cosign copy [example.com/src:latest] [example.com/dest:latest]
copy

SYNOPSIS

cosign [GLOBAL-FLAGS] <COMMAND> [<ARGS>]

PARAMETERS

-d, --driver string
    OCI signing driver name

--enable-netrc
    Use .netrc for authentication

-e, --experimental
    Enable experimental features

--output string
    Output format: text|json (default text)

--registry string
    Registry host (default ghcr.io)

--timeout duration
    Timeout for operations (default 5m)

-v, --verbose
    Enable debug logging

-h, --help
    Show help

--version
    Print version

DESCRIPTION

Cosign is a CLI tool from the Sigstore project for signing and verifying OCI container images and other artifacts. It provides cryptographic signatures to ensure supply chain security, preventing tampering.

Key features include keyless signing via OIDC providers (e.g., GitHub Actions), traditional key-based signing, and verification against transparency logs like Rekor. Signatures are stored as OCI artifacts alongside images in registries like Docker Hub or GCR.

Workflow: Use cosign sign to sign and push a signature; cosign verify checks against the public key or log. It supports blobs, attestations (SLSA, etc.), and bundle formats. Ideal for CI/CD, it integrates with tools like GitHub, Kubernetes, and Tekton.

Cosign simplifies signing without managing keys, promoting a passwordless, root-of-trust model. Verification fails if signatures mismatch or are absent, enforcing policy in deployments.

CAVEATS

Requires network access for keyless signing/verification; some features need Docker/containerd; experimental flags may change.

MAIN SUBCOMMANDS

sign, verify, verify-attest, generate, download, upload, bundle, clean

EXAMPLE USAGE

cosign sign --yes myimage:tag
cosign verify myimage:tag

HISTORY

Developed by Sigstore (Google, Red Hat, others) starting 2020; v1.0 in 2021; now at v2.x with bundle support and SLSA provenance.

SEE ALSO

docker(1), podman(1), skopeo(1), rekor-cli(1)

Copied to clipboard