cosign.md

cosign

A tool for Container Signing, Verification and Storage in an OCI registry.

Options

  -h, --help                 help for cosign
      --output-file string   log output to a file
  -t, --timeout duration     timeout for commands (default 3m0s)
  -d, --verbose              log debug output

SEE ALSO

• cosign attach - Provides utilities for attaching artifacts to other artifacts in a registry
• cosign attest - Attest the supplied container image.
• cosign attest-blob - Attest the supplied blob.
• cosign bundle - Interact with a Sigstore protobuf bundle
• cosign clean - Remove all signatures from an image.
• cosign completion - Generate completion script
• cosign copy - Copy the supplied container image and signatures.
• cosign dockerfile - Provides utilities for discovering images in and performing operations on Dockerfiles
• cosign download - Provides utilities for downloading artifacts and attached artifacts in a registry
• cosign env - Prints Cosign environment variables
• cosign generate - Generates (unsigned) signature payloads from the supplied container image.
• cosign generate-key-pair - Generates a key-pair.
• cosign import-key-pair - Imports a PEM-encoded RSA or EC private key.
• cosign initialize - Initializes SigStore root to retrieve trusted certificate and key targets for verification.
• cosign load - Load a signed image on disk to a remote registry
• cosign login - Log in to a registry
• cosign manifest - Provides utilities for discovering images in and performing operations on Kubernetes manifests
• cosign piv-tool - Provides utilities for managing a hardware token
• cosign pkcs11-tool - Provides utilities for retrieving information from a PKCS11 token.
• cosign public-key - Gets a public key from the key-pair.
• cosign save - Save the container image and associated signatures to disk at the specified directory.
• cosign sign - Sign the supplied container image.
• cosign sign-blob - Sign the supplied blob, outputting the base64-encoded signature to stdout.
• cosign tree - Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations
• cosign triangulate - Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type.
• cosign trusted-root - Interact with a Sigstore protobuf trusted root
• cosign upload - Provides utilities for uploading artifacts to a registry
• cosign verify - Verify a signature on the supplied container image
• cosign verify-attestation - Verify an attestation on the supplied container image
• cosign verify-blob - Verify a signature on the supplied blob
• cosign verify-blob-attestation - Verify an attestation on the supplied blob
• cosign version - Prints the version