cosign

Generate a key-pair

$ cosign generate-key-pair

$ cosign sign -key [cosign.key] [image]

$ cosign sign -key k8s://[namespace]/[key] [image]

$ cosign sign-blob --key [cosign.key] [path/to/file]

$ cosign verify -key [cosign.pub] [image]

$ cosign dockerfile verify -key [cosign.pub] [path/to/Dockerfile]

$ cosign verify -key k8s://[namespace]/[key] [image]

$ cosign copy [example.com/src:latest] [example.com/dest:latest]

cosign [global-options] command [command-options] [arguments]

Common Commands:
cosign sign [options] <artifact-ref>
cosign verify [options] <artifact-ref>
cosign generate-key-pair [options]

-h, --help
    Display help for cosign or a subcommand.

-v, --verbose
    Enable verbose output, showing more details about operations.

--output
    Specify the output format for some commands (e.g., 'json', 'text').

--insecure-skip-tls-verify
    Skip TLS certificate verification for OCI registries. (Use with extreme caution and only in development environments.)

--key
    Path to the private key for signing, or public key for verification. Can also be a Kubernetes secret URI or a KMS URI.

--fulcio-url
    URL of the Fulcio instance to use for obtaining x.509 certificates in keyless signing.

--rekor-url
    URL of the Rekor instance (transparency log) to use for logging signatures and attestations.

--cert-identity
    Expected identity (e.g., email address or GitHub username) in the signing certificate for verification.

--cert-oidc-issuer
    Expected OIDC issuer URL in the signing certificate for verification.

Cosign is an open-source command-line utility part of the Sigstore project, designed to enhance software supply chain security. It enables cryptographic signing and verification of container images, software binaries, blobs, and other artifacts stored in OCI registries. Cosign simplifies the process of creating, managing, and validating digital signatures for your software.

Key features include support for keyless signing using OIDC identities, making signature management easier by leveraging existing identity providers. It allows users to attach various types of metadata to images, such as Software Bill of Materials (SBOMs) and attestations. By integrating with existing container registries, Cosign provides a transparent and auditable way to ensure that the software you deploy is trustworthy and has not been tampered with. It plays a crucial role in securing the integrity and authenticity of software artifacts throughout their lifecycle, from development to deployment.

Cosign is not a standard Linux distribution utility and must be installed separately. Its keyless signing functionality relies on external Sigstore services like Fulcio (for certificate issuance) and Rekor (for transparency logging), requiring internet connectivity for these operations. While simplifying signature management, users still need to understand the underlying security principles and properly configure their OIDC identity providers. Improper use of options like --insecure-skip-tls-verify can undermine security. It's a powerful tool for part of the software supply chain, but it doesn't solve all supply chain security challenges on its own.

One of Cosign's flagship features is 'keyless' signing. Instead of managing static cryptographic keys, Cosign leverages OIDC (OpenID Connect) identities to generate ephemeral signing keys, certified by a trusted certificate authority (Fulcio) and logged to a transparency log (Rekor). This significantly simplifies key management and reduces the risk of key compromise by tying signatures directly to developer identities.

Cosign supports attaching various types of metadata to signed artifacts, including Software Bill of Materials (SBOMs) and custom attestations. This allows organizations to embed crucial information about the software's components, build process, or security posture directly alongside the artifact, making it verifiable and auditable throughout the supply chain.

Cosign emerged from the Sigstore project, an initiative launched by Google, Red Hat, and Purdue University in 2021. The goal of Sigstore, and by extension Cosign, is to make software signing and verification accessible, transparent, and user-friendly, thereby improving the security of the open-source software supply chain. It quickly gained traction and became a Cloud Native Computing Foundation (CNCF) Sandbox project, later graduating to a fully fledged CNCF project. Its development focuses on integrating with existing container ecosystems and leveraging modern cryptographic practices like keyless signing to address challenges in software artifact integrity and authenticity.

docker(1), oras(1), gpg(1), kubectl(1), rekor-cli(1)