cosign

Code signing and transparency for containers and binaries

Cosign is a command line utility that is used to sign software artifacts and verify signatures using Sigstore.

Sigstore has a number of language specific clients that you can use to build custom tooling. Although a number of the clients include a basic CLI, Cosign is the recommended tool for signing and verifying.

secops

https://www.sigstore.dev

amd64 arm64

Installation

1. Add WakeMeOps repository

curl -sSL https://raw.githubusercontent.com/upciti/wakemeops/main/assets/install_repository | sudo bash

2. Install cosign

sudo apt install cosign

Snippets

DockerfileGithub Action

FROM wakemeops/minideb:bullseye

RUN install_packages \
    cosign=2.4.1*

USER 1001

- name: Install dependencies
  uses: upciti/wakemeops-action@v1
  with:
    packages: |
      cosign=2.4.1*

Download URLs

amd64arm64

Version	SHA256	Size (KB)
2.4.1	`810149af9a08ed10c9f2b968564631a2eae700428c7e1c58c03e0a41f75dbad1`	16987

Version	SHA256	Size (KB)
2.4.1	`759c3d72be4b4a1082317881863baf3e427158823bab54f86018048fa09df7d0`	14578

Blueprints

Debian packages listed on this page are generated from op2deb YAML blueprints. Blueprints for cosign are versioned here.

Click here to see cosign ops2deb blueprints

https://github.com/upciti/wakemeops/blob/main/blueprints/secops/cosign/ops2deb.yml

name: cosign
matrix:
  architectures:
    - amd64
    - arm64
  versions:
    - 2.4.1
homepage: https://www.sigstore.dev
summary: code signing and transparency for containers and binaries
description: |-
  Cosign is a command line utility that is used to sign software artifacts and
  verify signatures using Sigstore.

  Sigstore has a number of language specific clients that you can use to build
  custom tooling. Although a number of the clients include a basic CLI, Cosign is
  the recommended tool for signing and verifying.
fetch: https://github.com/sigstore/cosign/releases/download/v{{version}}/cosign-linux-{{target}}
install:
  - cosign-linux-{{target}}:/usr/bin/cosign

The blueprint fetch keyword contains a URL template pointing to cosign releases. Downloaded files are locked in a lockfile versioned here.

Click here to see cosign release hashes

https://github.com/upciti/wakemeops/blob/main/blueprints/secops/cosign/ops2deb.lock.yml

- url: https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64
  sha256: 8b24b946dd5809c6bd93de08033bcf6bc0ed7d336b7785787c080f574b89249b
  timestamp: 2024-11-25 12:30:15+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-arm64
  sha256: 3b2e2e3854d0356c45fe6607047526ccd04742d20bd44afb5be91fa2a6e7cb4a
  timestamp: 2024-11-25 12:30:15+00:00

Badge

MarkdownHTMLRST

[![WakeMeOps](https://docs.wakemeops.com/badges/cosign.svg)](https://docs.wakemeops.com/packages/cosign)

<a href="https://docs.wakemeops.com/packages/cosign">
  <img src="https://docs.wakemeops.com/badges/cosign.svg"/>
</a>

.. image:: https://docs.wakemeops.com/badges/cosign.svg
:target: https://docs.wakemeops.com/packages/cosign