Open-Source Wikis

/

Cosign

/

Cosign

sigstore/cosign

Cosign

Cosign is a CLI and Go library for signing, verifying, and storing OCI artifacts (container images, blobs, in-toto attestations, SBOMs) using the Sigstore ecosystem. It is the primary client tool that ties together the Fulcio code-signing CA, the Rekor transparency log, and OCI registries.

The tool's stated goal is to make signatures invisible infrastructure: a developer should be able to sign an image with a single cosign sign and a verifier should need only cosign verify plus an expected identity. The default workflow is keyless — no long-lived signing keys, just a short-lived OIDC-bound certificate from Fulcio and an inclusion proof in Rekor.

What this wiki covers

  • The CLI surface, command by command (see CLI)
  • The reusable Go library packages under pkg/ (see Library)
  • The specifications for cosign-formatted signatures, bundles, attestations, and SBOMs (see Specs)
  • Project conventions, build tooling, and contribution flow (see How to contribute)

What cosign supports

  • Keyless signing with the Sigstore public-good Fulcio CA and Rekor transparency log (default).
  • Hardware and KMS signing — AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault, PKCS#11 tokens, PIV/Yubikey.
  • Local key pairs — encrypted ECDSA P-256 keys generated by cosign generate-key-pair.
  • OCI artifact signing — container images, image indexes, attached SBOMs, in-toto attestations.
  • Bring-your-own PKI — verification against custom roots (--ca-roots) and custom OIDC issuers.
  • Offline verification — using the protobuf bundle format saved alongside the artifact.

Project status

Cosign 2.x and 3.x are stable. Per the README.md, future major-version development is focused on sigstore-go; cosign continues to receive feature updates and bug fixes but breaking-API PRs are not accepted. The v3 line (Go module path github.com/sigstore/cosign/v3) introduces the new protobuf bundle format as the default and signs exclusively via sigstore-go.

Repository layout (top level)

Path Purpose
cmd/cosign/ cosign CLI entry point, command tree, options
cmd/conformance/ Adapter binary for the sigstore-conformance test suite
cmd/help/ Cobra-based markdown doc generator (drives make docgen)
cmd/sample/ Example program embedding the cosign library
pkg/cosign/ Core signing, verification, key, tlog, tsa, fulcio logic
pkg/oci/ OCI artifact abstractions and remote/local implementations
pkg/policy/ CUE/Rego attestation policy evaluation
pkg/providers/ Pluggable OIDC token providers (GitHub, GitLab, Buildkite, SPIFFE, Google, filesystem, envvar)
pkg/signature/ Key loading and detached-payload helpers
pkg/blob/, pkg/types/ Blob loading, OCI/predicate media-type constants
internal/ui/ Stderr UI primitives — info/warn/spinner/prompt
specs/ Authoritative format specs: signatures, bundles, attestations, SBOMs
doc/ Auto-generated CLI man-page-style markdown (one file per subcommand)
test/ End-to-end integration tests (e2e_*.go + bash drivers)
release/ Release tooling
hack/, scripts/ One-off and developer utilities

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Cosign – Cosign wiki | Factory