sigstore/cosign
Lore
A timeline of how cosign got to where it is today, derived from git log, tag dates, and the long-form CHANGELOG.md.
Eras
The bootstrap (Feb–Jul 2021)
The first commit landed on 2021-02-04. Cosign began as the Sigstore project's answer to "how do I sign a container image without a long-lived key?" — a CLI that pushed signatures to OCI registries as sibling artifacts (the original sha256-<digest>.sig tag scheme). The core abstractions — pkg/oci/SignedEntity, pkg/oci/Signature, pkg/cosign/Verify* — date from this period. v1.0.0 was tagged on 2021-07-28.
Keyless and attestations (Aug 2021–early 2023)
Throughout late 2021 and 2022 the project added the keyless signing flow, in-toto attestations (pkg/cosign/attestation/attestation.go), the Rekor bundle annotation for offline verification (pkg/cosign/bundle/rekor.go), KMS support, PIV (pkg/cosign/pivkey/) and PKCS#11 (pkg/cosign/pkcs11key/) backends, CUE and Rego policy evaluators (pkg/cosign/cue/, pkg/cosign/rego/), and a growing roster of OIDC providers under pkg/providers/. The cosign attest, cosign verify-attestation, and cosign attach sbom commands all originate here.
The 2.x cleanup (Feb 2023–Sep 2025)
v2.0.0 was tagged on 2023-02-23. The 2.x line consolidated the API surface, made certificate-identity flags mandatory for verify, switched flag names to longer canonical forms (--certificate-identity instead of --cert-identity, see cmd/cosign/cli/commands.go::normalizeCertificateFlags), and swapped the underlying TUF client to theupdateframework/go-tuf. Maintenance releases continued in this line into 2026 (the most recent being v2.6.3).
The sigstore-go migration / v3 (Oct 2025–present)
v3.0.0 was tagged on 2025-10-07. Per the README.md, "future Cosign development will be focused on the next major release which will be based on sigstore-go." v3 introduces the protobuf bundle format as the default (--new-bundle-format=true), the bundle create and trusted-root create and signing-config create subcommands (see cmd/cosign/cli/bundle.go, cmd/cosign/cli/trustedroot.go, cmd/cosign/cli/signingconfig.go), and removes the in-tree signing implementation in favour of sigstore-go's. The Go module path changed to github.com/sigstore/cosign/v3 (visible in every Go file's import block).
A defining commit of this era: Sign exclusively via sigstore-go (#4618) on 2026-04-13. From that point, cmd/cosign/cli/sign/sign.go no longer drives the Fulcio/Rekor flow itself — it builds the sigstore-go Signer and lets it run.
Longest-standing features
- Simple-signing payload (
pkg/oci/static/,pkg/types/payload.go) and the<digest>.sigtag scheme have been part of cosign since the bootstrap era and are still the on-the-wire format for legacy signatures. oci.SignedEntity/oci.Signatureinpkg/oci/interface.goandpkg/oci/signatures.gohave been stable interfaces since the start. Sub-packages (empty,signed,static,mutate,walk,remote,layout) were layered on top over time but did not break the contract.- Encrypted local key files (
pkg/cosign/keys.go, P-256 ECDSA wrapped withnacl/secretboxand scrypt KDF) — the format has been kept compatible since v0/v1.
Deprecated features
cosign attach sbom/cosign download sbom— discouraged in favour of in-toto attestations carrying SPDX or CycloneDX predicates. The flag still works (cmd/cosign/cli/sign.goprintsSBOMAttachmentDeprecationif you set--attachment=sbom).- The
--cert*short flag aliases (--cert,--cert-chain,--cert-email,--cert-oidc-issuer,--cert-identity) —cmd/cosign/cli/commands.go::normalizeCertificateFlagsrewrites them to the canonical--certificate*forms. - GCS releases bucket — the project page warns that releases pulled from the GCS bucket are deprecated as of 2023-07-31 in favour of GitHub release assets.
- The
obsolete.goshim (pkg/cosign/obsolete.go) — small file kept for one-line API compat.
Major rewrites
- Move to
sigstore-go(Oct 2025–Apr 2026). v3 reroutes signing throughsigstore-go, ending years of cosign maintaining its own Fulcio + Rekor + TSA orchestration inpkg/cosign/.pkg/cosign/verify.go(~2,000 lines) is being incrementally trimmed in favour ofverify_bundle.gopaths. - Cobra command structure (early 2022). Commands started life as a flat list and were re-grouped under shared option structs (
cmd/cosign/cli/options/*) — every command now binds to a*Optionsstruct and shares theKeyOptsplumbing. - TUF client swap (2023). From
theupdateframework/go-tufv0 togo-tuf/v2. Visible ingo.modand inpkg/cosign/tuf.go.
Growth trajectory
- Roughly 3,086 commits from 241 unique committers over five years (Feb 2021 → Apr 2026).
- The peak commit cadence visible in
git logis the 2022–2023 windows when keyless signing and attestations were being built. The 2025–2026 window is dominated by sigstore-go integration work. - Roughly 37% of
git logauthor lines look bot-attributed (Dependabot, GitHub Actions automation), reflecting tight upstream supply-chain hygiene — fitting for a project whose product is supply-chain hygiene.
The history is dense in 2022 (attestations, KMS providers landing weekly) and late 2025–2026 (the v3 cutover). Between the two, 2024 was a relatively quiet maintenance year for the 2.x line.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.