Open-Source Wikis

/

Cosign

/

Cosign

/

Glossary

sigstore/cosign

Glossary

Domain vocabulary used throughout the codebase and the Sigstore ecosystem cosign integrates with.

Term Meaning
Sigstore The umbrella project that comprises Fulcio, Rekor, the TUF trust root, the public-good instance, and the various clients including cosign.
Fulcio A short-lived code-signing CA. Given an OIDC token and a CSR, Fulcio returns a certificate (~10 min validity) whose Subject Alternative Name is the OIDC identity. Used in keyless signing.
Rekor An immutable, append-only Merkle-tree transparency log of signing events. Every keyless signature ends up here so verifiers can prove a signature existed at a specific time.
TSA RFC3161 timestamp authority. Optional cosign extension that pins the signing time independently of Rekor. Implemented under pkg/cosign/tsa.go.
TUF The Update Framework. Cosign uses a TUF repository (default: the public Sigstore one) to distribute the trusted_root.json containing Fulcio CA, Rekor public key, CT log key, and TSA chain. See pkg/cosign/tuf.go.
Keyless signing Default signing mode. The user proves identity via OIDC, Fulcio issues a short-lived cert bound to that identity, and the inclusion proof in Rekor is the durable evidence. No long-lived signing key.
OIDC OpenID Connect. The identity protocol Fulcio accepts (Google, GitHub Actions, GitLab CI, Buildkite, SPIFFE, custom issuers). Token providers are pluggable — see pkg/providers/.
OCI artifact A blob stored in an OCI registry. Cosign uses three flavors: container images, image indexes, and "tag-based attached" signatures/attestations/SBOMs.
Cosign signature An OCI artifact pushed to a deterministic tag derived from the signed digest (sha256-<digest>.sig). Layers contain the base64 signature in annotations and the simple-signing payload as the layer blob. See specs/SIGNATURE_SPEC.md.
Simple signing payload The minimal JSON payload format cosign signs: {"critical":{"identity":{"docker-reference":"..."},"image":{"docker-manifest-digest":"sha256:..."},"type":"cosign container image signature"},"optional":{...}}.
Bundle (Rekor) Legacy bundle: {SignedEntryTimestamp, Payload}. Stored as an annotation on the signature layer to enable offline verification. See pkg/cosign/bundle/rekor.go.
Bundle (Sigstore protobuf, "new bundle format") The default format from cosign 3.x. A self-contained protobuf message containing the signature, certificate chain, Rekor entry, and optional TSA timestamp. Verifiable entirely offline. See pkg/cosign/bundle/protobundle.go and specs/BUNDLE_SPEC.md.
Attestation An in-toto Statement signed and attached to an artifact. Cosign uses DSSE envelopes. The cosign attest family of commands creates them.
Predicate The body of an in-toto Statement, identified by a predicateType URI. Cosign ships shortcuts for slsaprovenance, vuln, cyclonedx, spdx, link, etc. (see cmd/cosign/cli/options/predicate.go).
DSSE Dead Simple Signing Envelope. The signing format used for attestations.
SBOM Software Bill of Materials, attached as an artifact. The legacy cosign attach sbom flow is deprecated; SPDX/CycloneDX SBOMs should be wrapped as attestations.
SCT Signed Certificate Timestamp. Proof that a Fulcio-issued certificate was logged in a CT log. Cosign verifies SCTs in pkg/cosign/verify_sct.go.
CT log Certificate Transparency log. Holds Fulcio-issued certificates.
Trusted root A TrustedRoot JSON document (defined by sigstore/protobuf-specs) containing Fulcio CA certs, Rekor public keys, CT log keys, and TSA chains. Distributed via TUF.
Signing config A SigningConfig document specifying which Fulcio/Rekor/TSA instances to use. New in v3 — see cmd/cosign/cli/signingconfig.go.
Triangulate Walk from an image digest to the deterministic tag where its signatures/attestations live. Implemented in cmd/cosign/cli/triangulate.go.
Tree Show all attached artifacts (signatures, attestations, SBOMs) for an image. See cmd/cosign/cli/tree.go.
PIV / pivkey Smart-card / Yubikey-stored signing keys via the PIV interface. Built behind the pivkey Go build tag.
PKCS#11 Generic hardware-security-module signing interface. Built behind the pkcs11key build tag, requires CGO and a vendor .so.
KMS URI A scheme-prefixed reference to a key managed by a cloud KMS or other backend, e.g. awskms://..., gcpkms://..., azurekms://..., hashivault://..., k8s://..., env://....
--new-bundle-format Flag flipping cosign between the legacy attached-OCI signature format and the protobuf-bundle format. Default is now true for sign and verify.
Conformance The sigstore-conformance test suite that exercises every Sigstore client against the same test vectors. The adapter is cmd/conformance/.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Glossary – Cosign wiki | Factory