Open-Source Wikis

/

Cosign

/

How to contribute

/

Tooling

sigstore/cosign

Tooling

The build, lint, doc, and release machinery in one place.

Makefile

Makefile is the front door. Useful targets:

Target What it does
make / make all / make cosign Build the cosign binary (CGO_ENABLED=0).
make cosign-pivkey-pkcs11key Build with PIV + PKCS#11 (CGO_ENABLED=1 -tags=pivkey,pkcs11key).
make install go install into $GOBIN.
make cross Build cosign-{darwin,linux,windows}-amd64 plus sha256 sidecars.
make test Run unit tests (excluding third_party/).
make lint Download golangci-lint v2.2.2 to ./bin and run it.
make conformance Build the conformance adapter ./conformance.
make conformance-runner, make conformance-tests Clone + run sigstore-conformance.
make ko / make ko-cosign / make ko-cosign-dev Build OCI images via ko and push to KO_DOCKER_REPO.
make ko-local Same, but tag locally for ko.local.
make docgen Regenerate doc/cosign_*.md from the live Cobra tree (go run -tags pivkey,pkcs11key,cgo ./cmd/help/).
make clean Remove cosign and dist/.

LDFLAGS are auto-derived from git describe, the commit hash, and SOURCE_DATE_EPOCH, then passed to sigs.k8s.io/release-utils/version so cosign version prints accurate values.

golangci-lint

Config: .golangci.yml. Pinned version: v2.2.2 (see Makefile::golangci-lint). Active linters include errcheck, goimports, goheader (license-banner), gosec, revive, staticcheck, unused, gofumpt, etc.

Run with make lint or ./bin/golangci-lint run -n once installed.

Doc generation (cmd/help)

cmd/help/main.go walks the Cobra command tree from cli.New() and writes one markdown file per node (cosign.md, cosign_sign.md, cosign_verify.md, …) into doc/. CI re-runs the tool and diffs (.github/workflows/verify-docgen.yaml); a non-empty diff fails the build.

If you add or rename a flag, run make docgen and commit the resulting doc/ changes.

ko (OCI image builds)

Config: .ko.yaml. ko is invoked by the ko-* Makefile targets and produces multi-arch images for github.com/sigstore/cosign/v3/cmd/cosign. The base image is gcr.io/distroless/static; the -dev variants use the debug nonroot variant.

ArtifactHub labels are baked in via the ARTIFACT_HUB_LABELS make variable.

goreleaser

Config: .goreleaser.yml — used during the release workflow to build, archive, and publish binaries to GitHub Releases. The release/ directory holds the makefile fragment (release/release.mk) included from the top-level Makefile.

GitHub Actions

.github/workflows/ (18 files):

Workflow Trigger / purpose
build.yaml PR build
tests.yaml Cross-OS unit tests
golangci-lint.yml Lint
e2e-tests.yml, e2e-with-binary.yml End-to-end runs against scaffolding
conformance.yml, conformance-nightly.yml sigstore-conformance
kind-verify-attestation.yaml Kubernetes verifier integration
verify-docgen.yaml Diffs make docgen output
cut-release.yml, validate-release.yml Release tooling
codeql-analysis.yml, scorecard-action.yml, depsreview.yml Supply-chain hygiene
whitespace.yaml, donotsubmit.yaml Cleanliness gates
github-oidc.yaml Validates the in-repo GitHub OIDC provider plumbing

.github/dependabot.yml configures Dependabot for Go modules, GitHub Actions, and Docker.

Hack and scripts

  • hack/ — one-off developer utilities (tools.go to pin tool versions, etc.).
  • scripts/ — small helper shell scripts.
  • release/ — release tooling (Makefile fragment, KO config helpers).

Editor / dev tips

  • .gitattributes enforces LF for Go sources (and BAT/PS1 for Windows tooling).
  • Dockerfile builds a minimal cosign image (mostly for ad-hoc testing, not the canonical artifact — that goes through ko).

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Tooling – Cosign wiki | Factory