cosign

Code signing and transparency for containers and binaries

Cosign is a command line utility that is used to sign software artifacts and verify signatures using Sigstore.

Sigstore has a number of language specific clients that you can use to build custom tooling. Although a number of the clients include a basic CLI, Cosign is the recommended tool for signing and verifying.

secops

https://www.sigstore.dev

amd64 arm64

Installation

1. Add WakeMeOps repository

curl -sSL https://raw.githubusercontent.com/upciti/wakemeops/main/assets/install_repository | sudo bash

2. Install cosign

sudo apt install cosign

Snippets

DockerfileGithub Action

FROM wakemeops/minideb:bullseye

RUN install_packages \
    cosign=2.4.2*

USER 1001

- name: Install dependencies
  uses: upciti/wakemeops-action@v1
  with:
    packages: |
      cosign=2.4.2*

Download URLs

amd64arm64

Version	SHA256	Size (KB)
2.4.2	`cc386479dfe5d1a6c6b392dca7c60482062980bdcfe9674630f21f0e036b0b7b`	17350
2.4.1	`810149af9a08ed10c9f2b968564631a2eae700428c7e1c58c03e0a41f75dbad1`	16987

Version	SHA256	Size (KB)
2.4.2	`397cf7755b5d1f37d5c74781af5aa7532879cbf8fa2db120337a41cb8c92fd86`	14855
2.4.1	`759c3d72be4b4a1082317881863baf3e427158823bab54f86018048fa09df7d0`	14578

Blueprints

Debian packages listed on this page are generated from op2deb YAML blueprints. Blueprints for cosign are versioned here.

Click here to see cosign ops2deb blueprints

https://github.com/upciti/wakemeops/blob/main/blueprints/secops/cosign/ops2deb.yml

name: cosign
matrix:
  architectures:
    - amd64
    - arm64
  versions:
    - 2.4.1
    - 2.4.2
homepage: https://www.sigstore.dev
summary: code signing and transparency for containers and binaries
description: |-
  Cosign is a command line utility that is used to sign software artifacts and
  verify signatures using Sigstore.

  Sigstore has a number of language specific clients that you can use to build
  custom tooling. Although a number of the clients include a basic CLI, Cosign is
  the recommended tool for signing and verifying.
fetch: https://github.com/sigstore/cosign/releases/download/v{{version}}/cosign-linux-{{target}}
install:
  - cosign-linux-{{target}}:/usr/bin/cosign

The blueprint fetch keyword contains a URL template pointing to cosign releases. Downloaded files are locked in a lockfile versioned here.

Click here to see cosign release hashes

https://github.com/upciti/wakemeops/blob/main/blueprints/secops/cosign/ops2deb.lock.yml

- url: https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64
  sha256: 8b24b946dd5809c6bd93de08033bcf6bc0ed7d336b7785787c080f574b89249b
  timestamp: 2024-11-25 12:30:15+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-arm64
  sha256: 3b2e2e3854d0356c45fe6607047526ccd04742d20bd44afb5be91fa2a6e7cb4a
  timestamp: 2024-11-25 12:30:15+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.4.2/cosign-linux-amd64
  sha256: e7f5bd99a790703333e8f8e8e6c91d5e646f3d7041e4cf935b56587de20cec3f
  timestamp: 2025-02-04 21:05:54+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.4.2/cosign-linux-arm64
  sha256: 9ab2a932190161d67b9fcda81777e28086b2152c7d506a0e2f83dbb3fd7e2b1c
  timestamp: 2025-02-04 21:05:54+00:00

Badge

MarkdownHTMLRST

[![WakeMeOps](https://docs.wakemeops.com/badges/cosign.svg)](https://docs.wakemeops.com/packages/cosign)

<a href="https://docs.wakemeops.com/packages/cosign">
  <img src="https://docs.wakemeops.com/badges/cosign.svg"/>
</a>

.. image:: https://docs.wakemeops.com/badges/cosign.svg
:target: https://docs.wakemeops.com/packages/cosign