Sign and verify container image provenance using Sigstore Cosign with keyless OIDC-based signing, attestations, and Kubernetes admission enforcement.
Cosign is a Sigstore tool for signing, verifying, and attaching metadata to container images and OCI artifacts. It supports both key-based and keyless (OIDC) signing, integrates with Fulcio (certificate authority) and Rekor (transparency log), and enables supply chain security for container images.
# Install via Go
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
# Install via Homebrew
brew install cosign
# Install via script
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
# Verify installation
cosign version
# Generate cosign key pair (creates cosign.key and cosign.pub)
cosign generate-key-pair
# Generate key pair stored in KMS
cosign generate-key-pair --kms awskms:///alias/cosign-key
cosign generate-key-pair --kms gcpkms://projects/PROJECT/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY
cosign generate-key-pair --kms hashivault://transit/keys/cosign
# Sign an image
cosign sign --key cosign.key ghcr.io/myorg/myapp:v1.0.0
# Sign with annotations
cosign sign --key cosign.key \
-a "build-id=12345" \
-a "git-sha=$(git rev-parse HEAD)" \
ghcr.io/myorg/myapp:v1.0.0
# Verify signature
cosign verify --key cosign.pub ghcr.io/myorg/myapp:v1.0.0
# Verify with annotation check
cosign verify --key cosign.pub \
-a "build-id=12345" \
ghcr.io/myorg/myapp:v1.0.0
# Keyless sign - opens browser for OIDC auth
cosign sign ghcr.io/myorg/myapp:v1.0.0
# The signature, certificate, and Rekor entry are created automatically
# GitHub Actions (uses OIDC token automatically)
cosign sign ghcr.io/myorg/myapp:v1.0.0 \
--yes
# With explicit identity token
cosign sign ghcr.io/myorg/myapp:v1.0.0 \
--identity-token=$(cat /var/run/sigstore/cosign/oidc-token) \
--yes
# Verify by email identity
cosign verify ghcr.io/myorg/myapp:v1.0.0 \
[email protected] \
--certificate-oidc-issuer=https://accounts.google.com
# Verify by GitHub Actions workflow
cosign verify ghcr.io/myorg/myapp:v1.0.0 \
--certificate-identity=https://github.com/myorg/myrepo/.github/workflows/build.yml@refs/heads/main \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
# Verify with regex matching
cosign verify ghcr.io/myorg/myapp:v1.0.0 \
--certificate-identity-regexp=".*@example.com" \
--certificate-oidc-issuer=https://accounts.google.com
# Generate SBOM
syft ghcr.io/myorg/myapp:v1.0.0 -o cyclonedx-json > sbom.cdx.json
# Attach SBOM as attestation
cosign attest --key cosign.key \
--type cyclonedx \
--predicate sbom.cdx.json \
ghcr.io/myorg/myapp:v1.0.0
# Verify attestation
cosign verify-attestation --key cosign.pub \
--type cyclonedx \
ghcr.io/myorg/myapp:v1.0.0
# Run scan and save results
grype ghcr.io/myorg/myapp:v1.0.0 -o json > vuln-scan.json
# Attach scan results as attestation
cosign attest --key cosign.key \
--type vuln \
--predicate vuln-scan.json \
ghcr.io/myorg/myapp:v1.0.0
# Attach SLSA provenance
cosign attest --key cosign.key \
--type slsaprovenance \
--predicate provenance.json \
ghcr.io/myorg/myapp:v1.0.0
# Verify SLSA provenance
cosign verify-attestation --key cosign.pub \
--type slsaprovenance \
ghcr.io/myorg/myapp:v1.0.0