Packages and Binaries:

cosign

This package contains a tool to sign OCI containers (and other artifacts) using Sigstore (https://sigstore.dev/)!

Cosign aims to make signatures invisible infrastructure.

Cosign supports:

  • “Keyless signing” with the Sigstore public good Fulcio certificate authority and Rekor transparency log (default)
  • Hardware and KMS signing
  • Signing with a cosign generated encrypted private/public keypair
  • Container Signing, Verification and Storage in an OCI registry.
  • Bring-your-own PKI

Installed size: 65.58 MB
How to install: sudo apt install cosign

Dependencies:
  • libc6
cosign
[email protected]:~# cosign -h
A tool for Container Signing, Verification and Storage in an OCI registry.

Usage:
  cosign [command]

Available Commands:
  attach                  Provides utilities for attaching artifacts to other artifacts in a registry
  attest                  Attest the supplied container image.
  attest-blob             Attest the supplied blob.
  clean                   Remove all signatures from an image.
  completion              Generate completion script
  copy                    Copy the supplied container image and signatures.
  dockerfile              Provides utilities for discovering images in and performing operations on Dockerfiles
  download                Provides utilities for downloading artifacts and attached artifacts in a registry
  env                     Prints Cosign environment variables
  generate                Generates (unsigned) signature payloads from the supplied container image.
  generate-key-pair       Generates a key-pair.
  help                    Help about any command
  import-key-pair         Imports a PEM-encoded RSA or EC private key.
  initialize              Initializes SigStore root to retrieve trusted certificate and key targets for verification.
  load                    Load a signed image on disk to a remote registry
  login                   Log in to a registry
  manifest                Provides utilities for discovering images in and performing operations on Kubernetes manifests
  public-key              Gets a public key from the key-pair.
  save                    Save the container image and associated signatures to disk at the specified directory.
  sign                    Sign the supplied container image.
  sign-blob               Sign the supplied blob, outputting the base64-encoded signature to stdout.
  tree                    Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations
  triangulate             Outputs the located cosign image reference. This is the location cosign stores the specified artifact type.
  upload                  Provides utilities for uploading artifacts to a registry
  verify                  Verify a signature on the supplied container image
  verify-attestation      Verify an attestation on the supplied container image
  verify-blob             Verify a signature on the supplied blob
  verify-blob-attestation Verify an attestation on the supplied blob
  version                 Prints the version

Flags:
  -h, --help                 help for cosign
      --output-file string   log output to a file
  -t, --timeout duration     timeout for commands (default 3m0s)
  -d, --verbose              log debug output

Additional help topics:
  cosign piv-tool                This cosign was not built with piv-tool support!
  cosign pkcs11-tool             This cosign was not built with pkcs11-tool support!

Use "cosign [command] --help" for more information about a command.

Updated on: 2023-May-25