Cosign

Cosign provides container signing, verification, and storage in OCI registries. It enables keyless signing with Sigstore's Fulcio certificate authority and Rekor transparency log by default, alongside support for hardware, KMS, and cosign-generated encrypted keypairs. Users can bring their own PKI for flexible signing workflows.

Primary use cases include attesting container images, signing blobs, managing signatures in registries, and verifying supply chain artifacts like SBOMs. It integrates with Dockerfiles, Kubernetes manifests, and registries for seamless operations in CI/CD pipelines and deployment security.

The CLI tool offers commands for attaching artifacts, copying images with signatures, downloading/uploading to registries, and displaying security-related artifacts via tree view.

Cosign operates by generating signatures for OCI container images or blobs using Sigstore's keyless mode (Fulcio CA and Rekor log), hardware tokens, KMS, or PEM-encoded keys. Signatures and attestations are stored as attached artifacts in OCI registries. Verification checks against trusted roots, transparency logs, and public keys, ensuring supply chain integrity through protobuf bundles and triangulated references.