sigstore/cosign
OCI and attachment commands
Cosign has a long tail of registry-utility commands that don't sign or verify on their own — they manipulate signature artifacts, navigate the deterministic-tag layout, and copy or save signed content for offline use.
cosign attach
Attach pre-existing artifacts to an image without going through the full sign flow. Useful if you signed something elsewhere (e.g. via a hardware HSM workflow that produced a detached signature) and just need to publish it.
| Subcommand | Implementation | Purpose |
|---|---|---|
cosign attach signature |
cmd/cosign/cli/attach.go |
Push an existing .sig + payload + cert + chain to the deterministic tag |
cosign attach attestation |
cmd/cosign/cli/attach.go |
Push an existing DSSE-signed in-toto envelope |
cosign attach sbom |
(deprecated) | Push a raw SBOM as an OCI attachment — superseded by SBOM-as-attestation |
See doc/cosign_attach.md and friends.
cosign download
The mirror image of attach — read attached artifacts off a registry without verifying them.
| Subcommand | Purpose |
|---|---|
cosign download signature <image> |
Pull every cosign signature attached to the digest |
cosign download attestation <image> |
Pull every attestation |
cosign download sbom <image> |
(deprecated) Pull a raw OCI-attached SBOM |
Implementation: cmd/cosign/cli/download.go + cmd/cosign/cli/download/.
cosign upload
| Subcommand | Purpose |
|---|---|
cosign upload blob |
Wrap arbitrary bytes as an OCI image and push (one-layer image, configurable media type) |
cosign upload wasm |
Same, but with WASM-specific media types |
Implementation: cmd/cosign/cli/upload.go. Useful for distributing signed artifacts that aren't container images via OCI registries.
cosign copy
cosign copy <src-image> <dst-image>Implementation: cmd/cosign/cli/copy.go. Copies an image plus every attached signature/attestation/SBOM to a new repository, preserving the deterministic-tag relationships. Handy when promoting a signed image between registries.
cosign clean
cosign clean <image> --type signature|attestation|sbom|allImplementation: cmd/cosign/cli/clean.go. Deletes attached artifacts. Requires registry write access. The --type flag selects which tag(s) to remove.
cosign triangulate
cosign triangulate <image-digest>Implementation: cmd/cosign/cli/triangulate.go. Prints the OCI tag where the image's signatures live (i.e. sha256-<digest>.sig for signatures, .att for attestations, .sbom for SBOMs). Pure path computation — does not hit the network.
cosign tree
cosign tree <image>Implementation: cmd/cosign/cli/tree.go. Prints a tree of every attached artifact (signatures, attestations, SBOMs) for the image, with their digests and types. Good first stop when debugging "what does my image actually have attached?".
cosign save / cosign load
cosign save <image> --dir ./signed-export
cosign load --dir ./signed-export # imports it back to a different registryImplementation: cmd/cosign/cli/save.go, cmd/cosign/cli/load.go. Serializes an image and all attached artifacts into an OCI Image Layout on disk (per the OCI spec). cosign verify --local-image ./signed-export then verifies offline.
cosign manifest
cosign manifest verify --key cosign.pub <kubernetes-manifest.yaml>Implementation: cmd/cosign/cli/manifest.go. Walks a Kubernetes manifest, extracts every image reference, and verifies all of them against the supplied key/identity. Useful in admission-controller-adjacent workflows.
cosign dockerfile
cosign dockerfile verify --key cosign.pub DockerfileImplementation: cmd/cosign/cli/dockerfile.go. Same idea, but for FROM references in a Dockerfile.
cosign generate
cosign generate <image>Implementation: cmd/cosign/cli/generate.go. Emits the simple-signing payload that would be signed for that image — useful for offline workflows where the actual signing happens elsewhere (e.g. on an air-gapped HSM workstation).
cosign initialize
cosign initialize [--mirror <url>] [--root <root.json>]Implementation: cmd/cosign/cli/initialize.go. Pulls or refreshes the TUF metadata and trusted_root.json from the public-good repo (or a custom mirror). Stores them under ~/.sigstore/root/. Run once before air-gapped verification.
cosign trusted-root and cosign signing-config
cosign trusted-root create --certificate-chain ca.pem --rekor-key rekor.pub ... -o trusted_root.json
cosign signing-config create --fulcio-url https://... --rekor-url https://... -o signing_config.jsonImplementation: cmd/cosign/cli/trustedroot.go and cmd/cosign/cli/signingconfig.go. Build the JSON documents that cosign verify --trusted-root ... and cosign sign --signing-config ... consume — the path to running cosign against a private Sigstore deployment.
cosign bundle
cosign bundle create --signature sig.txt --certificate cert.pem --rekor-bundle rekor.json -o bundle.sigstore.jsonImplementation: cmd/cosign/cli/bundle.go. Combines pre-existing detached materials into a single Sigstore protobuf bundle — useful for migrating a legacy .sig + .pem + Rekor entry set onto the new bundle format. Recently hardened (commit bundle create: Prevent IgnoreTlog when bundle contains SET, Apr 2026) to refuse to drop the SET on the floor.
Key source files
| File | Purpose |
|---|---|
cmd/cosign/cli/attach.go |
attach command tree |
cmd/cosign/cli/download.go |
download command tree |
cmd/cosign/cli/upload.go |
upload (blob, wasm) |
cmd/cosign/cli/copy.go |
Image + attached artifact copy |
cmd/cosign/cli/clean.go |
Delete attached artifacts |
cmd/cosign/cli/triangulate.go |
Tag derivation |
cmd/cosign/cli/tree.go |
List attached artifacts |
cmd/cosign/cli/save.go, load.go |
OCI Image Layout export/import |
cmd/cosign/cli/manifest.go, dockerfile.go |
Verify-by-spec helpers |
cmd/cosign/cli/initialize.go |
TUF refresh |
cmd/cosign/cli/trustedroot.go, signingconfig.go, bundle.go |
v3 trust/bundle composition tools |
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.