Cosign

Cosign is a tool from the Sigstore project for signing and verifying container images and other artifacts. It supports both traditional key-based signing and keyless signing using OIDC.

Installing Cosign

Using Homebrew

brew install cosign

Using Binary

wget https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
chmod +x cosign-linux-amd64
sudo mv cosign-linux-amd64 /usr/local/bin/cosign

Key-Based Signing

Generate Key Pair

cosign generate-key-pair

This creates:

• cosign.key - Private key (keep secret!)
• cosign.pub - Public key (share for verification)

Sign Image

cosign sign --key cosign.key user/image:tag

Verify Signature

cosign verify --key cosign.pub user/image:tag

Keyless Signing

Keyless signing uses OIDC for authentication:

Sign with Keyless

cosign sign user/image:tag

This will:

1. Open a browser for OIDC authentication
2. Get a certificate from Fulcio
3. Sign the image
4. Store signature in Rekor

Verify Keyless Signature

cosign verify user/image:tag

Signing Multiple Images

Sign All Tags

cosign sign --key cosign.key user/image

Sign with Annotations

cosign sign --key cosign.key \
  -a env=production \
  -a version=1.0.0 \
  user/image:tag

CI/CD Integration

GitHub Actions

name: Sign Image
on: [push]
jobs:
  sign:
    runs-on: ubuntu-latest
    steps:
    - uses: sigstore/cosign-installer@v2
    - name: Sign image
      run: |
        cosign sign --key cosign.key ${{ env.IMAGE }}
      env:
        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

Best Practices

1. Use keyless for CI/CD - Easier than managing keys
2. Store keys securely - Use secret management for private keys
3. Verify before deploy - Always verify signatures
4. Sign all images - Don’t skip signing
5. Use annotations - Add metadata to signatures

See Also

• Sigstore - Overview of Sigstore
• Fulcio & Rekor - Infrastructure components