sigstore/cosign
Glossary
Domain vocabulary used throughout the codebase and the Sigstore ecosystem cosign integrates with.
| Term | Meaning |
|---|---|
| Sigstore | The umbrella project that comprises Fulcio, Rekor, the TUF trust root, the public-good instance, and the various clients including cosign. |
| Fulcio | A short-lived code-signing CA. Given an OIDC token and a CSR, Fulcio returns a certificate (~10 min validity) whose Subject Alternative Name is the OIDC identity. Used in keyless signing. |
| Rekor | An immutable, append-only Merkle-tree transparency log of signing events. Every keyless signature ends up here so verifiers can prove a signature existed at a specific time. |
| TSA | RFC3161 timestamp authority. Optional cosign extension that pins the signing time independently of Rekor. Implemented under pkg/cosign/tsa.go. |
| TUF | The Update Framework. Cosign uses a TUF repository (default: the public Sigstore one) to distribute the trusted_root.json containing Fulcio CA, Rekor public key, CT log key, and TSA chain. See pkg/cosign/tuf.go. |
| Keyless signing | Default signing mode. The user proves identity via OIDC, Fulcio issues a short-lived cert bound to that identity, and the inclusion proof in Rekor is the durable evidence. No long-lived signing key. |
| OIDC | OpenID Connect. The identity protocol Fulcio accepts (Google, GitHub Actions, GitLab CI, Buildkite, SPIFFE, custom issuers). Token providers are pluggable — see pkg/providers/. |
| OCI artifact | A blob stored in an OCI registry. Cosign uses three flavors: container images, image indexes, and "tag-based attached" signatures/attestations/SBOMs. |
| Cosign signature | An OCI artifact pushed to a deterministic tag derived from the signed digest (sha256-<digest>.sig). Layers contain the base64 signature in annotations and the simple-signing payload as the layer blob. See specs/SIGNATURE_SPEC.md. |
| Simple signing payload | The minimal JSON payload format cosign signs: {"critical":{"identity":{"docker-reference":"..."},"image":{"docker-manifest-digest":"sha256:..."},"type":"cosign container image signature"},"optional":{...}}. |
| Bundle (Rekor) | Legacy bundle: {SignedEntryTimestamp, Payload}. Stored as an annotation on the signature layer to enable offline verification. See pkg/cosign/bundle/rekor.go. |
| Bundle (Sigstore protobuf, "new bundle format") | The default format from cosign 3.x. A self-contained protobuf message containing the signature, certificate chain, Rekor entry, and optional TSA timestamp. Verifiable entirely offline. See pkg/cosign/bundle/protobundle.go and specs/BUNDLE_SPEC.md. |
| Attestation | An in-toto Statement signed and attached to an artifact. Cosign uses DSSE envelopes. The cosign attest family of commands creates them. |
| Predicate | The body of an in-toto Statement, identified by a predicateType URI. Cosign ships shortcuts for slsaprovenance, vuln, cyclonedx, spdx, link, etc. (see cmd/cosign/cli/options/predicate.go). |
| DSSE | Dead Simple Signing Envelope. The signing format used for attestations. |
| SBOM | Software Bill of Materials, attached as an artifact. The legacy cosign attach sbom flow is deprecated; SPDX/CycloneDX SBOMs should be wrapped as attestations. |
| SCT | Signed Certificate Timestamp. Proof that a Fulcio-issued certificate was logged in a CT log. Cosign verifies SCTs in pkg/cosign/verify_sct.go. |
| CT log | Certificate Transparency log. Holds Fulcio-issued certificates. |
| Trusted root | A TrustedRoot JSON document (defined by sigstore/protobuf-specs) containing Fulcio CA certs, Rekor public keys, CT log keys, and TSA chains. Distributed via TUF. |
| Signing config | A SigningConfig document specifying which Fulcio/Rekor/TSA instances to use. New in v3 — see cmd/cosign/cli/signingconfig.go. |
| Triangulate | Walk from an image digest to the deterministic tag where its signatures/attestations live. Implemented in cmd/cosign/cli/triangulate.go. |
| Tree | Show all attached artifacts (signatures, attestations, SBOMs) for an image. See cmd/cosign/cli/tree.go. |
| PIV / pivkey | Smart-card / Yubikey-stored signing keys via the PIV interface. Built behind the pivkey Go build tag. |
| PKCS#11 | Generic hardware-security-module signing interface. Built behind the pkcs11key build tag, requires CGO and a vendor .so. |
| KMS URI | A scheme-prefixed reference to a key managed by a cloud KMS or other backend, e.g. awskms://..., gcpkms://..., azurekms://..., hashivault://..., k8s://..., env://.... |
--new-bundle-format |
Flag flipping cosign between the legacy attached-OCI signature format and the protobuf-bundle format. Default is now true for sign and verify. |
| Conformance | The sigstore-conformance test suite that exercises every Sigstore client against the same test vectors. The adapter is cmd/conformance/. |
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.