Open-Source Wikis

/

Cosign

/

Reference

/

Dependencies

sigstore/cosign

Dependencies

Cosign's go.mod declares module github.com/sigstore/cosign/v3 and go 1.25.7. The headline dependencies are stable: most are part of the broader Sigstore stack or supply-chain tooling.

Sigstore stack

Module Why
github.com/sigstore/sigstore Signers, KMS adapters, key parsing — the lowest-level Sigstore Go module
github.com/sigstore/sigstore-go The new high-level signing/verification engine; v3 routes signing and bundle verification through it
github.com/sigstore/fulcio Fulcio client (CSR-based cert issuance)
github.com/sigstore/rekor Rekor client (transparency log)
github.com/sigstore/rekor-tiles/v2 Tile-based Rekor client (newer Rekor v2 deployments)
github.com/sigstore/timestamp-authority/v2 TSA client (RFC3161 timestamps)
github.com/sigstore/protobuf-specs Generated Go for the Sigstore protobuf wire formats (bundle, trusted-root, signing-config)
github.com/sigstore/sigstore/pkg/signature/kms/{aws,azure,gcp,hashivault} KMS provider plugins, blank-imported in cmd/cosign/main.go

OCI / registry

Module Why
github.com/google/go-containerregistry All registry I/O
github.com/awslabs/amazon-ecr-credential-helper/ecr-login ECR auth helper
github.com/chrismellard/docker-credential-acr-env Azure ACR auth
github.com/mozillazg/docker-credential-acr-helper Azure ACR helper

Cobra and config

Module Why
github.com/spf13/cobra CLI framework
github.com/spf13/pflag POSIX flag handling
github.com/spf13/viper Config binding (options.BindViper)
github.com/withfig/autocomplete-tools/integrations/cobra Autocomplete spec generation

In-toto / DSSE / attestations

Module Why
github.com/in-toto/in-toto-golang in-toto Statement types
github.com/in-toto/attestation Generated in-toto attestation predicate types
github.com/secure-systems-lab/go-securesystemslib DSSE envelopes

Policy / attestation evaluation

Module Why
cuelang.org/go CUE policies (pkg/cosign/cue/)
github.com/open-policy-agent/opa Rego policies (pkg/cosign/rego/)

OIDC / providers

Module Why
golang.org/x/oauth2 OAuth2 / OIDC primitives
github.com/go-jose/go-jose/v4 JOSE (JWT/JWS/JWE)
github.com/spiffe/go-spiffe/v2 SPIFFE provider
github.com/buildkite/agent/v3 Buildkite provider
cloud.google.com/go/compute/metadata GCE metadata-server based Google provider
github.com/google/go-github/v73 GitHub provider
gitlab.com/gitlab-org/api/client-go GitLab provider
google.golang.org/api Google Cloud client surface

TUF and trust

Module Why
github.com/theupdateframework/go-tuf/v2 TUF client (loads trusted_root.json)
github.com/google/certificate-transparency-go CT log primitives, used in verify_sct.go
github.com/transparency-dev/merkle Merkle proof verification

Hardware

Module Why
github.com/go-piv/piv-go/v2 PIV smart card support
github.com/ThalesIgnite/crypto11, github.com/miekg/pkcs11 PKCS#11 support

Crypto and miscellaneous

Module Why
github.com/cyberphone/json-canonicalization RFC8785 JCS for canonical JSON over signed payloads
github.com/digitorus/timestamp RFC3161 parsing
github.com/google/go-cmp Test diffs
github.com/stretchr/testify Test assertions
github.com/manifoldco/promptui Interactive prompts
github.com/moby/term, github.com/mitchellh/go-wordwrap Terminal/UI helpers in internal/ui/
github.com/dustin/go-humanize Human-readable byte/size formatting
github.com/nozzle/throttler Concurrency limiter for batch operations
golang.org/x/{crypto,sync,term} Standard extensions

Notes

  • Dependabot and the depsreview.yml workflow keep these moving. Roughly 37% of git log author lines look bot-attributed (see by-the-numbers), most of that from dependency bumps.
  • The release/ and goreleaser configs sign the released binaries themselves with cosign — the project eats its own dog food.
  • go.sum is exactly 95 KB at this commit, reflecting a pretty large dependency closure mostly inherited from sigstore-go, opa, and cuelang.org/go.

For the full, authoritative list (including indirect dependencies), see go.mod and go.sum at the repo root.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Dependencies – Cosign wiki | Factory