sigstore/cosign
Cosign
Cosign is a CLI and Go library for signing, verifying, and storing OCI artifacts (container images, blobs, in-toto attestations, SBOMs) using the Sigstore ecosystem. It is the primary client tool that ties together the Fulcio code-signing CA, the Rekor transparency log, and OCI registries.
The tool's stated goal is to make signatures invisible infrastructure: a developer should be able to sign an image with a single cosign sign and a verifier should need only cosign verify plus an expected identity. The default workflow is keyless — no long-lived signing keys, just a short-lived OIDC-bound certificate from Fulcio and an inclusion proof in Rekor.
What this wiki covers
- The CLI surface, command by command (see CLI)
- The reusable Go library packages under
pkg/(see Library) - The specifications for cosign-formatted signatures, bundles, attestations, and SBOMs (see Specs)
- Project conventions, build tooling, and contribution flow (see How to contribute)
What cosign supports
- Keyless signing with the Sigstore public-good Fulcio CA and Rekor transparency log (default).
- Hardware and KMS signing — AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault, PKCS#11 tokens, PIV/Yubikey.
- Local key pairs — encrypted ECDSA P-256 keys generated by
cosign generate-key-pair. - OCI artifact signing — container images, image indexes, attached SBOMs, in-toto attestations.
- Bring-your-own PKI — verification against custom roots (
--ca-roots) and custom OIDC issuers. - Offline verification — using the protobuf bundle format saved alongside the artifact.
Project status
Cosign 2.x and 3.x are stable. Per the README.md, future major-version development is focused on sigstore-go; cosign continues to receive feature updates and bug fixes but breaking-API PRs are not accepted. The v3 line (Go module path github.com/sigstore/cosign/v3) introduces the new protobuf bundle format as the default and signs exclusively via sigstore-go.
Repository layout (top level)
| Path | Purpose |
|---|---|
cmd/cosign/ |
cosign CLI entry point, command tree, options |
cmd/conformance/ |
Adapter binary for the sigstore-conformance test suite |
cmd/help/ |
Cobra-based markdown doc generator (drives make docgen) |
cmd/sample/ |
Example program embedding the cosign library |
pkg/cosign/ |
Core signing, verification, key, tlog, tsa, fulcio logic |
pkg/oci/ |
OCI artifact abstractions and remote/local implementations |
pkg/policy/ |
CUE/Rego attestation policy evaluation |
pkg/providers/ |
Pluggable OIDC token providers (GitHub, GitLab, Buildkite, SPIFFE, Google, filesystem, envvar) |
pkg/signature/ |
Key loading and detached-payload helpers |
pkg/blob/, pkg/types/ |
Blob loading, OCI/predicate media-type constants |
internal/ui/ |
Stderr UI primitives — info/warn/spinner/prompt |
specs/ |
Authoritative format specs: signatures, bundles, attestations, SBOMs |
doc/ |
Auto-generated CLI man-page-style markdown (one file per subcommand) |
test/ |
End-to-end integration tests (e2e_*.go + bash drivers) |
release/ |
Release tooling |
hack/, scripts/ |
One-off and developer utilities |
Quick links
- Architecture: overview/architecture.md
- Getting started: overview/getting-started.md
- Glossary: overview/glossary.md
- Codebase stats: by-the-numbers
- History and milestones: lore
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.