cosign

Definition

Cosign is an open-source tool used for signing, verifying, and storing container images and other software artifacts. It is part of the Sigstore project, which aims to improve the security of the software supply chain by providing a way to ensure the integrity and authenticity of software components. Cosign uses cryptographic signatures to verify that an image has not been tampered with and that it originates from a trusted source.

Secure Settings Example

# Sign a container image with a key pair
cosign sign --key cosign.key docker.io/myrepo/myimage:latest

# Verify the signed container image
cosign verify --key cosign.pub docker.io/myrepo/myimage:latest

Insecure Settings Example

# Signing an image without specifying a key, relying on default behavior
cosign sign docker.io/myrepo/myimage:latest

# Verifying an image without specifying a key, which may lead to trust issues
cosign verify docker.io/myrepo/myimage:latest