explaingit

sigstore/cosign

5,914GoAudience · ops devopsComplexity · 3/5Setup · moderate

TLDR

Cosign is a command-line tool for signing and verifying container images and software artifacts so you can prove a piece of software has not been tampered with after it was published.

Mindmap

mindmap
  root((cosign))
    What it does
      Sign container images
      Verify signatures
      Sign generic files
    Signing Methods
      Keyless via email login
      Public and private keys
      Hardware security keys
      Cloud key management
    Transparency Log
      Rekor audit trail
      Permanent record
      Who signed what and when
    Installation
      Homebrew
      Nix
      GitHub Actions step
      Docker image
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Sign a container image after building it so consumers can verify it came from you and was not tampered with.

USE CASE 2

Set up keyless signing in a CI/CD pipeline using a GitHub or Google identity without managing private key files.

USE CASE 3

Verify the signature of a container image before pulling it into a production environment as a security check.

USE CASE 4

Sign and verify generic software release files and blobs beyond container images for supply chain auditability.

Tech stack

GoDocker

Getting it running

Difficulty · moderate Time to first run · 30min

Keyless signing requires a browser login step through an identity provider, key-based signing requires configuring a key management service or generating a key pair first.

In plain English

Cosign is a command-line tool for signing container images and other software artifacts, making it possible to verify that a piece of software has not been tampered with after it was published. It is part of the Sigstore project, a broader initiative to make software supply-chain security more accessible. The default signing method, called keyless signing, does not require you to manage a private key file. Instead, you log in with an email account (via Google, GitHub, or another identity provider), and Cosign requests a short-lived certificate from a certificate authority. The signature is then recorded in a public transparency log called Rekor, creating a permanent, auditable trail of who signed what and when. If you prefer to use your own keys, Cosign also supports traditional public/private key pairs, hardware security keys, and cloud-based key management services. To sign a container image, you run a single command with the image's digest (a unique fingerprint of the image content), and Cosign walks you through a browser-based login. To verify, you run another command that checks the signature against the transparency log. The tool also supports signing and verifying generic files and blobs beyond containers. Cosign is stable and actively maintained. Its ongoing development is shifting toward a related library called sigstore-go, which the Cosign tool is being rebuilt on top of. Binaries are available for Linux and macOS, and it can be installed via Homebrew, Nix, Arch Linux packages, or as a GitHub Actions step for use in automated pipelines. A Docker image is also provided for use inside container builds. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Using cosign with keyless signing, walk me through signing a container image after pushing it to a registry. What command do I run and what happens during the browser login step?
Prompt 2
I want to add cosign signature verification to my GitHub Actions pipeline so that only signed images can be deployed. Show me the workflow YAML step to verify an image signature.
Prompt 3
What is the Rekor transparency log that cosign uses, and how do I look up the audit record of a specific signed image to verify who signed it and when?
Prompt 4
My team wants to use cosign with our own private keys stored in AWS KMS instead of keyless signing. Show me the cosign commands to sign and verify an image using a cloud KMS key.
Open on GitHub → Explain another repo

← sigstore on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.