cosign

Code signing and transparency for containers and binaries

Cosign is a command line utility that is used to sign software artifacts and verify signatures using Sigstore.

Sigstore has a number of language specific clients that you can use to build custom tooling. Although a number of the clients include a basic CLI, Cosign is the recommended tool for signing and verifying.

secops

https://www.sigstore.dev

arm64 amd64

Installation

1. Add WakeMeOps repository

curl -sSL https://raw.githubusercontent.com/upciti/wakemeops/main/assets/install_repository | sudo bash

2. Install cosign

sudo apt install cosign

Snippets

DockerfileGithub Action

FROM wakemeops/minideb:bullseye

RUN install_packages \
    cosign=2.5.0*

USER 1001

- name: Install dependencies
  uses: upciti/wakemeops-action@v1
  with:
    packages: |
      cosign=2.5.0*

Download URLs

amd64arm64

Version	SHA256	Size (KB)
2.5.0	`a701affef6879cbc98a7ae49de2b139d9df3d77fc20b3d4b7f2b7a596cc00cc8`	17775
2.4.3	`4a2d0a6107e52f0adc12df159a25dc7f138362266f9dc29064440b10bc544614`	17395
2.4.2	`cc386479dfe5d1a6c6b392dca7c60482062980bdcfe9674630f21f0e036b0b7b`	17350
2.4.1	`810149af9a08ed10c9f2b968564631a2eae700428c7e1c58c03e0a41f75dbad1`	16987

Version	SHA256	Size (KB)
2.5.0	`9b8bd565a3074ff9c925aab97c65261830d289ff727261587dfbfbf7a0c8b7a5`	15183
2.4.3	`ec74a6e97466497f6324e1603ee4b400423508f51b85a39489a7863bccbe51fa`	14868
2.4.2	`397cf7755b5d1f37d5c74781af5aa7532879cbf8fa2db120337a41cb8c92fd86`	14855
2.4.1	`759c3d72be4b4a1082317881863baf3e427158823bab54f86018048fa09df7d0`	14578

Blueprints

Debian packages listed on this page are generated from op2deb YAML blueprints. Blueprints for cosign are versioned here.

Click here to see cosign ops2deb blueprints

https://github.com/upciti/wakemeops/blob/main/blueprints/secops/cosign/ops2deb.yml

name: cosign
matrix:
  architectures:
    - amd64
    - arm64
  versions:
    - 2.4.1
    - 2.4.2
    - 2.4.3
    - 2.5.0
homepage: https://www.sigstore.dev
summary: code signing and transparency for containers and binaries
description: |-
  Cosign is a command line utility that is used to sign software artifacts and
  verify signatures using Sigstore.

  Sigstore has a number of language specific clients that you can use to build
  custom tooling. Although a number of the clients include a basic CLI, Cosign is
  the recommended tool for signing and verifying.
fetch: https://github.com/sigstore/cosign/releases/download/v{{version}}/cosign-linux-{{target}}
install:
  - cosign-linux-{{target}}:/usr/bin/cosign

The blueprint fetch keyword contains a URL template pointing to cosign releases. Downloaded files are locked in a lockfile versioned here.

Click here to see cosign release hashes

https://github.com/upciti/wakemeops/blob/main/blueprints/secops/cosign/ops2deb.lock.yml

- url: https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64
  sha256: 8b24b946dd5809c6bd93de08033bcf6bc0ed7d336b7785787c080f574b89249b
  timestamp: 2024-11-25 12:30:15+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-arm64
  sha256: 3b2e2e3854d0356c45fe6607047526ccd04742d20bd44afb5be91fa2a6e7cb4a
  timestamp: 2024-11-25 12:30:15+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.4.2/cosign-linux-amd64
  sha256: e7f5bd99a790703333e8f8e8e6c91d5e646f3d7041e4cf935b56587de20cec3f
  timestamp: 2025-02-04 21:05:54+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.4.2/cosign-linux-arm64
  sha256: 9ab2a932190161d67b9fcda81777e28086b2152c7d506a0e2f83dbb3fd7e2b1c
  timestamp: 2025-02-04 21:05:54+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-amd64
  sha256: caaad125acef1cb81d58dcdc454a1e429d09a750d1e9e2b3ed1aed8964454708
  timestamp: 2025-03-13 09:08:25+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.4.3/cosign-linux-arm64
  sha256: bd0f9763bca54de88699c3656ade2f39c9a1c7a2916ff35601caf23a79be0629
  timestamp: 2025-03-13 09:08:25+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64
  sha256: 1f6c194dd0891eb345b436bb71ff9f996768355f5e0ce02dde88567029ac2188
  timestamp: 2025-04-16 15:08:51+00:00
- url: https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-arm64
  sha256: 080a998f9878f22dafdb9ad54d5b2e2b8e7a38c53527250f9d89a6763a28d545
  timestamp: 2025-04-16 15:08:51+00:00

Badge

MarkdownHTMLRST

[![WakeMeOps](https://docs.wakemeops.com/badges/cosign.svg)](https://docs.wakemeops.com/packages/cosign)

<a href="https://docs.wakemeops.com/packages/cosign">
  <img src="https://docs.wakemeops.com/badges/cosign.svg"/>
</a>

.. image:: https://docs.wakemeops.com/badges/cosign.svg
:target: https://docs.wakemeops.com/packages/cosign