Open-Source Wikis

/

Cosign

/

Lore

sigstore/cosign

Lore

A timeline of how cosign got to where it is today, derived from git log, tag dates, and the long-form CHANGELOG.md.

Eras

The bootstrap (Feb–Jul 2021)

The first commit landed on 2021-02-04. Cosign began as the Sigstore project's answer to "how do I sign a container image without a long-lived key?" — a CLI that pushed signatures to OCI registries as sibling artifacts (the original sha256-<digest>.sig tag scheme). The core abstractions — pkg/oci/SignedEntity, pkg/oci/Signature, pkg/cosign/Verify* — date from this period. v1.0.0 was tagged on 2021-07-28.

Keyless and attestations (Aug 2021–early 2023)

Throughout late 2021 and 2022 the project added the keyless signing flow, in-toto attestations (pkg/cosign/attestation/attestation.go), the Rekor bundle annotation for offline verification (pkg/cosign/bundle/rekor.go), KMS support, PIV (pkg/cosign/pivkey/) and PKCS#11 (pkg/cosign/pkcs11key/) backends, CUE and Rego policy evaluators (pkg/cosign/cue/, pkg/cosign/rego/), and a growing roster of OIDC providers under pkg/providers/. The cosign attest, cosign verify-attestation, and cosign attach sbom commands all originate here.

The 2.x cleanup (Feb 2023–Sep 2025)

v2.0.0 was tagged on 2023-02-23. The 2.x line consolidated the API surface, made certificate-identity flags mandatory for verify, switched flag names to longer canonical forms (--certificate-identity instead of --cert-identity, see cmd/cosign/cli/commands.go::normalizeCertificateFlags), and swapped the underlying TUF client to theupdateframework/go-tuf. Maintenance releases continued in this line into 2026 (the most recent being v2.6.3).

The sigstore-go migration / v3 (Oct 2025–present)

v3.0.0 was tagged on 2025-10-07. Per the README.md, "future Cosign development will be focused on the next major release which will be based on sigstore-go." v3 introduces the protobuf bundle format as the default (--new-bundle-format=true), the bundle create and trusted-root create and signing-config create subcommands (see cmd/cosign/cli/bundle.go, cmd/cosign/cli/trustedroot.go, cmd/cosign/cli/signingconfig.go), and removes the in-tree signing implementation in favour of sigstore-go's. The Go module path changed to github.com/sigstore/cosign/v3 (visible in every Go file's import block).

A defining commit of this era: Sign exclusively via sigstore-go (#4618) on 2026-04-13. From that point, cmd/cosign/cli/sign/sign.go no longer drives the Fulcio/Rekor flow itself — it builds the sigstore-go Signer and lets it run.

Longest-standing features

  • Simple-signing payload (pkg/oci/static/, pkg/types/payload.go) and the <digest>.sig tag scheme have been part of cosign since the bootstrap era and are still the on-the-wire format for legacy signatures.
  • oci.SignedEntity / oci.Signature in pkg/oci/interface.go and pkg/oci/signatures.go have been stable interfaces since the start. Sub-packages (empty, signed, static, mutate, walk, remote, layout) were layered on top over time but did not break the contract.
  • Encrypted local key files (pkg/cosign/keys.go, P-256 ECDSA wrapped with nacl/secretbox and scrypt KDF) — the format has been kept compatible since v0/v1.

Deprecated features

  • cosign attach sbom / cosign download sbom — discouraged in favour of in-toto attestations carrying SPDX or CycloneDX predicates. The flag still works (cmd/cosign/cli/sign.go prints SBOMAttachmentDeprecation if you set --attachment=sbom).
  • The --cert* short flag aliases (--cert, --cert-chain, --cert-email, --cert-oidc-issuer, --cert-identity) — cmd/cosign/cli/commands.go::normalizeCertificateFlags rewrites them to the canonical --certificate* forms.
  • GCS releases bucket — the project page warns that releases pulled from the GCS bucket are deprecated as of 2023-07-31 in favour of GitHub release assets.
  • The obsolete.go shim (pkg/cosign/obsolete.go) — small file kept for one-line API compat.

Major rewrites

  • Move to sigstore-go (Oct 2025–Apr 2026). v3 reroutes signing through sigstore-go, ending years of cosign maintaining its own Fulcio + Rekor + TSA orchestration in pkg/cosign/. pkg/cosign/verify.go (~2,000 lines) is being incrementally trimmed in favour of verify_bundle.go paths.
  • Cobra command structure (early 2022). Commands started life as a flat list and were re-grouped under shared option structs (cmd/cosign/cli/options/*) — every command now binds to a *Options struct and shares the KeyOpts plumbing.
  • TUF client swap (2023). From theupdateframework/go-tuf v0 to go-tuf/v2. Visible in go.mod and in pkg/cosign/tuf.go.

Growth trajectory

  • Roughly 3,086 commits from 241 unique committers over five years (Feb 2021 → Apr 2026).
  • The peak commit cadence visible in git log is the 2022–2023 windows when keyless signing and attestations were being built. The 2025–2026 window is dominated by sigstore-go integration work.
  • Roughly 37% of git log author lines look bot-attributed (Dependabot, GitHub Actions automation), reflecting tight upstream supply-chain hygiene — fitting for a project whose product is supply-chain hygiene.

The history is dense in 2022 (attestations, KMS providers landing weekly) and late 2025–2026 (the v3 cutover). Between the two, 2024 was a relatively quiet maintenance year for the 2.x line.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Lore – Cosign wiki | Factory