sigstore/cosign
Tooling
The build, lint, doc, and release machinery in one place.
Makefile
Makefile is the front door. Useful targets:
| Target | What it does |
|---|---|
make / make all / make cosign |
Build the cosign binary (CGO_ENABLED=0). |
make cosign-pivkey-pkcs11key |
Build with PIV + PKCS#11 (CGO_ENABLED=1 -tags=pivkey,pkcs11key). |
make install |
go install into $GOBIN. |
make cross |
Build cosign-{darwin,linux,windows}-amd64 plus sha256 sidecars. |
make test |
Run unit tests (excluding third_party/). |
make lint |
Download golangci-lint v2.2.2 to ./bin and run it. |
make conformance |
Build the conformance adapter ./conformance. |
make conformance-runner, make conformance-tests |
Clone + run sigstore-conformance. |
make ko / make ko-cosign / make ko-cosign-dev |
Build OCI images via ko and push to KO_DOCKER_REPO. |
make ko-local |
Same, but tag locally for ko.local. |
make docgen |
Regenerate doc/cosign_*.md from the live Cobra tree (go run -tags pivkey,pkcs11key,cgo ./cmd/help/). |
make clean |
Remove cosign and dist/. |
LDFLAGS are auto-derived from git describe, the commit hash, and SOURCE_DATE_EPOCH, then passed to sigs.k8s.io/release-utils/version so cosign version prints accurate values.
golangci-lint
Config: .golangci.yml. Pinned version: v2.2.2 (see Makefile::golangci-lint). Active linters include errcheck, goimports, goheader (license-banner), gosec, revive, staticcheck, unused, gofumpt, etc.
Run with make lint or ./bin/golangci-lint run -n once installed.
Doc generation (cmd/help)
cmd/help/main.go walks the Cobra command tree from cli.New() and writes one markdown file per node (cosign.md, cosign_sign.md, cosign_verify.md, …) into doc/. CI re-runs the tool and diffs (.github/workflows/verify-docgen.yaml); a non-empty diff fails the build.
If you add or rename a flag, run make docgen and commit the resulting doc/ changes.
ko (OCI image builds)
Config: .ko.yaml. ko is invoked by the ko-* Makefile targets and produces multi-arch images for github.com/sigstore/cosign/v3/cmd/cosign. The base image is gcr.io/distroless/static; the -dev variants use the debug nonroot variant.
ArtifactHub labels are baked in via the ARTIFACT_HUB_LABELS make variable.
goreleaser
Config: .goreleaser.yml — used during the release workflow to build, archive, and publish binaries to GitHub Releases. The release/ directory holds the makefile fragment (release/release.mk) included from the top-level Makefile.
GitHub Actions
.github/workflows/ (18 files):
| Workflow | Trigger / purpose |
|---|---|
build.yaml |
PR build |
tests.yaml |
Cross-OS unit tests |
golangci-lint.yml |
Lint |
e2e-tests.yml, e2e-with-binary.yml |
End-to-end runs against scaffolding |
conformance.yml, conformance-nightly.yml |
sigstore-conformance |
kind-verify-attestation.yaml |
Kubernetes verifier integration |
verify-docgen.yaml |
Diffs make docgen output |
cut-release.yml, validate-release.yml |
Release tooling |
codeql-analysis.yml, scorecard-action.yml, depsreview.yml |
Supply-chain hygiene |
whitespace.yaml, donotsubmit.yaml |
Cleanliness gates |
github-oidc.yaml |
Validates the in-repo GitHub OIDC provider plumbing |
.github/dependabot.yml configures Dependabot for Go modules, GitHub Actions, and Docker.
Hack and scripts
hack/— one-off developer utilities (tools.goto pin tool versions, etc.).scripts/— small helper shell scripts.release/— release tooling (Makefile fragment, KO config helpers).
Editor / dev tips
.gitattributesenforces LF for Go sources (and BAT/PS1 for Windows tooling).Dockerfilebuilds a minimal cosign image (mostly for ad-hoc testing, not the canonical artifact — that goes throughko).
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.