← 返回命令列表

Linux command

cosign 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

Sign container image (keyless)

cosign sign [registry/image@sha256:digest]

Sign with local key

cosign sign --key [cosign.key] [registry/image@sha256:digest]

Verify image signature (keyless)

cosign verify --certificate-identity=[email] --certificate-oidc-issuer=[issuer] [image]

Verify with public key

cosign verify --key [cosign.pub] [registry/image@sha256:digest]

Generate key pair

cosign generate-key-pair

Sign with annotation

cosign sign -a [key=value] [registry/image@sha256:digest]

Attach SBOM to image

cosign attach sbom --sbom [sbom.json] [registry/image@sha256:digest]

说明

cosign is Sigstore's tool for signing and verifying container images and software artifacts. It supports keyless signing using OIDC identity or traditional key-based signing, providing cryptographic guarantees about image authenticity and integrity. The tool integrates with container registries to attach signatures and attestations as OCI artifacts. Keyless signing leverages short-lived certificates tied to identity providers like GitHub, Google, or Microsoft, eliminating the need to manage long-term signing keys. Signatures are recorded in Sigstore's transparency log (Rekor) for public verification and auditability. cosign also handles SBOMs (Software Bill of Materials), attestations, and other metadata, enabling comprehensive supply chain security. It works with various key management systems including cloud providers' KMS services and hardware security modules.

参数

--key _path|uri_
Key for signing/verification
--certificate _path_
Certificate for signing
--certificate-chain _path_
Certificate chain
--certificate-identity _identity_
Expected identity in certificate
--certificate-oidc-issuer _issuer_
Expected OIDC issuer
-a _key=value_
Add annotation to signature

FAQ

What is the cosign command used for?

cosign is Sigstore's tool for signing and verifying container images and software artifacts. It supports keyless signing using OIDC identity or traditional key-based signing, providing cryptographic guarantees about image authenticity and integrity. The tool integrates with container registries to attach signatures and attestations as OCI artifacts. Keyless signing leverages short-lived certificates tied to identity providers like GitHub, Google, or Microsoft, eliminating the need to manage long-term signing keys. Signatures are recorded in Sigstore's transparency log (Rekor) for public verification and auditability. cosign also handles SBOMs (Software Bill of Materials), attestations, and other metadata, enabling comprehensive supply chain security. It works with various key management systems including cloud providers' KMS services and hardware security modules.

How do I run a basic cosign example?

Run `cosign sign [registry/image@sha256:digest]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does --key _path|uri_ do in cosign?

Key for signing/verification