cosign Command Examples

Container Signing, Verification and Storage in an OCI registry. More information: https://github.com/sigstore/cosign.

• Generate a key-pair:

cosign generate-key-pair

• Sign a container and store the signature in the registry:

cosign sign -key {{cosign.key}} {{image}}

• Sign a container image with a key pair stored in a Kubernetes secret:

cosign sign -key k8s://{{namespace}}/{{key}} {{image}}

• Sign a blob with a local key pair file:

cosign sign-blob --key {{cosign.key}} {{path/to/file}}

• Verify a container against a public key:

cosign verify -key {{cosign.pub}} {{image}}

• Verify images with a public key in a Dockerfile:

cosign dockerfile verify -key {{cosign.pub}} {{path/to/Dockerfile}}

• Verify an image with a public key stored in a Kubernetes secret:

cosign verify -key k8s://{{namespace}}/{{key}} {{image}}

• Copy a container image and its signatures:

cosign copy {{example.com/src:latest}} {{example.com/dest:latest}}