cosign
5 commands
5 shown
Sign image by digest
Sign by immutable digest, not tag; note: signing a tag is racy and insecure
cosign sign --key cosign.key <host>/<name>@sha256:<id>
Keyless sign via OIDC
Keyless signing with Fulcio/Rekor via OIDC identity; modern: default in cosign v2
COSIGN_EXPERIMENTAL=1 cosign sign <host>/<name>@sha256:<id>
Verify keyless signature
Verify keyless sig pinning the signer identity and OIDC issuer; note: pin both
cosign verify --certificate-identity=<id> --certificate-oidc-issuer=<host> <host>/<name> | jq .
Attest CycloneDX SBOM
Attach a signed CycloneDX SBOM attestation to an image digest
cosign attest --key cosign.key --predicate sbom.json --type cyclonedx <host>/<name>@sha256:<id>
Verify attestation by type
Verify attestation then decode the in-toto payload to inspect the predicate
cosign verify-attestation --key cosign.pub --type cyclonedx <host>/<name> | jq -r '.payload' | base64 -d | jq .
no commands match