sigstore/cosign
Configuration
Cosign has very few config files. Most behavior is driven by command-line flags or environment variables. The authoritative environment-variable registry lives in pkg/cosign/env/env.go — cosign env walks it at runtime.
Cosign-owned environment variables
| Variable | Purpose |
|---|---|
COSIGN_EXPERIMENTAL |
Opt into in-development features |
COSIGN_DOCKER_MEDIA_TYPES |
Use Docker (not OCI) media types — for registries that reject OCI types |
COSIGN_PASSWORD |
Password for cosign-encrypted private keys; bypasses interactive prompt |
COSIGN_PKCS11_PIN |
PIN for PKCS#11 hardware tokens |
COSIGN_PKCS11_MODULE_PATH |
Path to the vendor PKCS#11 .so module |
COSIGN_PKCS11_IGNORE_CERTIFICATE |
Skip cert validation on PKCS#11 tokens |
COSIGN_REPOSITORY |
Override the OCI repository where signatures live |
COSIGN_MAX_ATTACHMENT_SIZE |
Size cap for attachments fetched from a registry |
Sigstore-owned variables
| Variable | Purpose |
|---|---|
SIGSTORE_CT_LOG_PUBLIC_KEY_FILE |
Override the CT log public key |
SIGSTORE_ROOT_FILE |
Override the Fulcio root certificate |
SIGSTORE_REKOR_PUBLIC_KEY |
Override the Rekor public key |
SIGSTORE_ID_TOKEN |
Pre-supplied OIDC token (bypasses interactive flow) |
SIGSTORE_TSA_CERTIFICATE_FILE |
Override the TSA certificate chain |
TUF variables
| Variable | Purpose |
|---|---|
TUF_ROOT |
Local TUF cache directory (default ~/.sigstore/root) |
TUF_MIRROR |
TUF mirror URL |
TUF_ROOT_JSON |
Path to a custom TUF root metadata file |
CI provider variables (consumed by pkg/providers/*)
| Variable | Provider |
|---|---|
ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN |
GitHub Actions |
GITHUB_HOST, GITHUB_TOKEN |
GitHub (for cosign generate-key-pair github://...) |
GITLAB_HOST, GITLAB_TOKEN |
GitLab |
BUILDKITE_AGENT_ACCESS_TOKEN, BUILDKITE_AGENT_ENDPOINT, BUILDKITE_JOB_ID, BUILDKITE_AGENT_LOG_LEVEL |
Buildkite |
GOOGLE_SERVICE_ACCOUNT_NAME |
|
SPIFFE_ENDPOINT_SOCKET |
SPIFFE Workload API |
To see the live state of every variable on your machine:
cosign env --show-descriptions --show-sensitive=falseThe flag set is defined in cmd/cosign/cli/options/env.go and the printer in cmd/cosign/cli/env.go.
Config-file equivalents
There is no global cosign.yaml. Two specific JSON documents act as configuration when present:
- Trusted root —
trusted_root.json, supplied via--trusted-rootor pulled bycosign initialize. Contains Fulcio CA, Rekor public key, CT log key, and TSA chain. Authored locally withcosign trusted-root create(cmd/cosign/cli/trustedroot.go). - Signing config —
signing_config.json, supplied via--signing-configoncosign sign. Specifies which Fulcio/Rekor/TSA endpoints to use. Authored withcosign signing-config create(cmd/cosign/cli/signingconfig.go).
Both are intentionally explicit — there's no auto-discovery from a magic file path.
KMS URIs accepted by --key
| Scheme | Backing module |
|---|---|
awskms://[ENDPOINT]/[ID/ALIAS/ARN] |
sigstore/sigstore/pkg/signature/kms/aws |
gcpkms://projects/.../keyRings/.../cryptoKeys/... |
sigstore/sigstore/pkg/signature/kms/gcp |
azurekms://[VAULT_NAME].vault.azure.net/[KEY] |
sigstore/sigstore/pkg/signature/kms/azure |
hashivault://[KEY] |
sigstore/sigstore/pkg/signature/kms/hashivault |
k8s://[NAMESPACE]/[SECRET] |
pkg/cosign/kubernetes/ |
gitlab://[OWNER]/[PROJECT] or gitlab://[ID] |
pkg/cosign/git/gitlab/ |
github://[OWNER]/[REPO] |
pkg/cosign/git/github/ |
pkcs11:... |
pkg/cosign/pkcs11key/ (build tag pkcs11key) |
env://[ENV_VAR] |
inline — read directly |
KMS providers are pulled into the binary via blank imports at the top of cmd/cosign/main.go.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.