cosign
Sign and verify container images
TLDR
Generate a key-pair
Sign a container and store the signature in the registry
Sign a container image with a key pair stored in a Kubernetes secret
Sign a blob with a local key pair file
Verify a container against a public key
Verify images with a public key in a Dockerfile
Verify an image with a public key stored in a Kubernetes secret
Copy a container image and its signatures
SYNOPSIS
cosign [flags] [subcommand]
PARAMETERS
--certificate string
Path to the certificate file to use for signing.
--certificate-chain string
Path to the certificate chain file to use when signing with a certificate.
--key string
Path to the private key file to use for signing.
--output string
Output format for the signature (default "text").
--predicate string
Path to the predicate file to use when signing with a attestation.
--rekor-url string
URL of the Rekor instance to use for transparency log integration.
--rfc3161-timestamp-server string
RFC3161 timestamp server endpoint to use.
--yes
Answer yes to all prompts.
attach
Subcommand to attach signatures or attestation to images.
attest
Subcommand to sign with a attestation.
sign
Subcommand to sign images.
verify
Subcommand to verify signatures.
generate-key-pair
Subcommand to generate a new key pair for signing.
public-key
Subcommand to extract the public key from a key pair.
DESCRIPTION
Cosign is a command-line tool for signing and verifying container images using keyless signing, software supply chain security, and transparency. It allows users to digitally sign container images, blobs, and other artifacts and store those signatures in a registry or other supported backend. Cosign leverages public key infrastructure (PKI) and transparency logs, like Rekor, to ensure the integrity and authenticity of signed artifacts.
It simplifies the process of attaching signatures and metadata to container images without requiring complex key management. Instead, Cosign often uses OIDC (OpenID Connect) tokens and cloud provider identities for authentication, enabling seamless integration with existing workflows and cloud environments. This helps in securing the software supply chain by ensuring only trusted and verified images are deployed.
CAVEATS
Cosign requires access to a container registry and network connectivity to Rekor or other transparency logs.
Keyless signing relies on OIDC providers; misconfiguration can lead to signing failures.
KEYLESS SIGNING
Cosign's keyless signing feature allows you to sign artifacts without managing long-lived private keys. This is achieved by leveraging short-lived OIDC tokens issued by identity providers like Google, GitHub, or GitLab. The signatures are then stored in a transparency log to provide tamper-proof evidence of the signing process.
ATTESTATION
Cosign supports signing attestations, which are structured metadata about the artifact. These attestations can be used to convey information such as build provenance, security scan results, and compliance information.
HISTORY
Cosign was developed by Google and community contributors as part of the Sigstore project.
It aims to improve software supply chain security by providing a user-friendly way to sign and verify container images and other artifacts. The initial focus was on keyless signing to ease the adoption of digital signatures.
Cosign has evolved to include support for various signing methods, attestation, and integration with transparency logs like Rekor.