cosign
Container Signing, Verification and Storage in an OCI registry.
TLDR
Generate a key-pair
Sign a container and store the signature in the registry
Sign a container image with a key pair stored in a Kubernetes secret
Sign a blob with a local key pair file
Verify a container against a public key
Verify images with a public key in a Dockerfile
Verify an image with a public key stored in a Kubernetes secret
Copy a container image and its signatures
Help
Usage:
cosign [command]
Available Commands:
attach Provides utilities for attaching artifacts to other artifacts in a registry
attest Attest the supplied container image.
clean Remove all signatures from an image.
completion Generate completion script
copy Copy the supplied container image and signatures.
dockerfile Provides utilities for discovering images in and performing operations on Dockerfiles
download Provides utilities for downloading artifacts and attached artifacts in a registry
generate Generates (unsigned) signature payloads from the supplied container image.
generate-key-pair Generates a key-pair.
help Help about any command
initialize Initializes SigStore root to retrieve trusted certificate and key targets for verification.
load Load a signed image on disk to a remote registry
manifest Provides utilities for discovering images in and performing operations on Kubernetes manifests
policy subcommand to manage a keyless policy.
public-key Gets a public key from the key-pair.
save Save the container image and associated signatures to disk at the specified directory.
sign Sign the supplied container image.
sign-blob Sign the supplied blob, outputting the base64-encoded signature to stdout.
triangulate Outputs the located cosign image reference. This is the location cosign stores the specified artifact type.
upload Provides utilities for uploading artifacts to a registry
verify Verify a signature on the supplied container image
verify-attestation Verify an attestation on the supplied container image
verify-blob Verify a signature on the supplied blob
version Prints the cosign version
Flags:
--azure-container-registry-config string Path to the file containing Azure container registry configuration information.
-h, --help help for cosign
--output-file string log output to a file
-d, --verbose log debug output
Additional help topics:
cosign piv-tool This cosign was not built with piv-tool support!
cosign pkcs11-tool This cosign was not built with pkcs11-tool support!
Use "cosign [command] --help" for more information about a command.