Open-Source Wikis

/

Cosign

/

Reference

/

Configuration

sigstore/cosign

Configuration

Cosign has very few config files. Most behavior is driven by command-line flags or environment variables. The authoritative environment-variable registry lives in pkg/cosign/env/env.gocosign env walks it at runtime.

Cosign-owned environment variables

Variable Purpose
COSIGN_EXPERIMENTAL Opt into in-development features
COSIGN_DOCKER_MEDIA_TYPES Use Docker (not OCI) media types — for registries that reject OCI types
COSIGN_PASSWORD Password for cosign-encrypted private keys; bypasses interactive prompt
COSIGN_PKCS11_PIN PIN for PKCS#11 hardware tokens
COSIGN_PKCS11_MODULE_PATH Path to the vendor PKCS#11 .so module
COSIGN_PKCS11_IGNORE_CERTIFICATE Skip cert validation on PKCS#11 tokens
COSIGN_REPOSITORY Override the OCI repository where signatures live
COSIGN_MAX_ATTACHMENT_SIZE Size cap for attachments fetched from a registry

Sigstore-owned variables

Variable Purpose
SIGSTORE_CT_LOG_PUBLIC_KEY_FILE Override the CT log public key
SIGSTORE_ROOT_FILE Override the Fulcio root certificate
SIGSTORE_REKOR_PUBLIC_KEY Override the Rekor public key
SIGSTORE_ID_TOKEN Pre-supplied OIDC token (bypasses interactive flow)
SIGSTORE_TSA_CERTIFICATE_FILE Override the TSA certificate chain

TUF variables

Variable Purpose
TUF_ROOT Local TUF cache directory (default ~/.sigstore/root)
TUF_MIRROR TUF mirror URL
TUF_ROOT_JSON Path to a custom TUF root metadata file

CI provider variables (consumed by pkg/providers/*)

Variable Provider
ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN GitHub Actions
GITHUB_HOST, GITHUB_TOKEN GitHub (for cosign generate-key-pair github://...)
GITLAB_HOST, GITLAB_TOKEN GitLab
BUILDKITE_AGENT_ACCESS_TOKEN, BUILDKITE_AGENT_ENDPOINT, BUILDKITE_JOB_ID, BUILDKITE_AGENT_LOG_LEVEL Buildkite
GOOGLE_SERVICE_ACCOUNT_NAME Google
SPIFFE_ENDPOINT_SOCKET SPIFFE Workload API

To see the live state of every variable on your machine:

cosign env --show-descriptions --show-sensitive=false

The flag set is defined in cmd/cosign/cli/options/env.go and the printer in cmd/cosign/cli/env.go.

Config-file equivalents

There is no global cosign.yaml. Two specific JSON documents act as configuration when present:

  • Trusted roottrusted_root.json, supplied via --trusted-root or pulled by cosign initialize. Contains Fulcio CA, Rekor public key, CT log key, and TSA chain. Authored locally with cosign trusted-root create (cmd/cosign/cli/trustedroot.go).
  • Signing configsigning_config.json, supplied via --signing-config on cosign sign. Specifies which Fulcio/Rekor/TSA endpoints to use. Authored with cosign signing-config create (cmd/cosign/cli/signingconfig.go).

Both are intentionally explicit — there's no auto-discovery from a magic file path.

KMS URIs accepted by --key

Scheme Backing module
awskms://[ENDPOINT]/[ID/ALIAS/ARN] sigstore/sigstore/pkg/signature/kms/aws
gcpkms://projects/.../keyRings/.../cryptoKeys/... sigstore/sigstore/pkg/signature/kms/gcp
azurekms://[VAULT_NAME].vault.azure.net/[KEY] sigstore/sigstore/pkg/signature/kms/azure
hashivault://[KEY] sigstore/sigstore/pkg/signature/kms/hashivault
k8s://[NAMESPACE]/[SECRET] pkg/cosign/kubernetes/
gitlab://[OWNER]/[PROJECT] or gitlab://[ID] pkg/cosign/git/gitlab/
github://[OWNER]/[REPO] pkg/cosign/git/github/
pkcs11:... pkg/cosign/pkcs11key/ (build tag pkcs11key)
env://[ENV_VAR] inline — read directly

KMS providers are pulled into the binary via blank imports at the top of cmd/cosign/main.go.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Configuration – Cosign wiki | Factory