Cosign
ELI5 — The Vibe Check
Cosign is the tool for signing container images, SBOMs, and other artifacts. It's part of the Sigstore project and makes image signing as easy as 'cosign sign.' It stores signatures in OCI registries alongside the images, supports keyless signing (via OIDC), and is becoming the industry standard. It's the PGP of the container world, but actually usable.
Real Talk
Cosign is a Sigstore tool for signing, verifying, and attaching metadata to OCI images and artifacts. It supports key-based and keyless signing (using OIDC identity from CI providers like GitHub Actions), stores signatures in OCI registries, and integrates with admission controllers for deployment-time verification. It can sign and verify images, SBOMs, and attestations.
Show Me The Code
# Sign an image (keyless, using GitHub Actions OIDC)
cosign sign myregistry.com/myapp:latest
# Verify an image
cosign verify myregistry.com/myapp:latest \
--certificate-identity=ci@project.iam \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
When You'll Hear This
"Cosign keyless signing uses our GitHub Actions identity — no keys to manage." / "Kubernetes admission policy requires Cosign signatures on all production images."
Related Terms
Image Signing
Image Signing is like putting a wax seal on your Docker images.
Sigstore
Sigstore makes signing software as easy as logging in with your Google account. No managing PGP keys, no key rotation headaches.
Supply Chain Security
Supply Chain Security protects the entire path from code to production — dependencies, build systems, registries, everything.