Packages and Binaries:

cosign

This package contains a tool to sign OCI containers (and other artifacts) using Sigstore (https://sigstore.dev/)!

Cosign aims to make signatures invisible infrastructure.

Cosign supports:

  • “Keyless signing” with the Sigstore public good Fulcio certificate authority and Rekor transparency log (default)
  • Hardware and KMS signing
  • Signing with a cosign generated encrypted private/public keypair
  • Container Signing, Verification and Storage in an OCI registry.
  • Bring-your-own PKI

Installed size: 69.14 MB
How to install: sudo apt install cosign

Dependencies:
  • libc6
cosign
root@kali:~# cosign -h
A tool for Container Signing, Verification and Storage in an OCI registry.

Usage:
cosign [command]

Available Commands:
attach                  Provides utilities for attaching artifacts to other artifacts in a registry
attest                  Attest the supplied container image.
attest-blob             Attest the supplied blob.
clean                   Remove all signatures from an image.
completion              Generate completion script
copy                    Copy the supplied container image and signatures.
dockerfile              Provides utilities for discovering images in and performing operations on Dockerfiles
download                Provides utilities for downloading artifacts and attached artifacts in a registry
env                     Prints Cosign environment variables
generate                Generates (unsigned) signature payloads from the supplied container image.
generate-key-pair       Generates a key-pair.
help                    Help about any command
import-key-pair         Imports a PEM-encoded RSA or EC private key.
initialize              Initializes SigStore root to retrieve trusted certificate and key targets for verification.
load                    Load a signed image on disk to a remote registry
login                   Log in to a registry
manifest                Provides utilities for discovering images in and performing operations on Kubernetes manifests
public-key              Gets a public key from the key-pair.
save                    Save the container image and associated signatures to disk at the specified directory.
sign                    Sign the supplied container image.
sign-blob               Sign the supplied blob, outputting the base64-encoded signature to stdout.
tree                    Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations
triangulate             Outputs the located cosign image reference. This is the location cosign stores the specified artifact type.
upload                  Provides utilities for uploading artifacts to a registry
verify                  Verify a signature on the supplied container image
verify-attestation      Verify an attestation on the supplied container image
verify-blob             Verify a signature on the supplied blob
verify-blob-attestation Verify an attestation on the supplied blob
version                 Prints the version

Flags:
    -h, --help=false:
	help for cosign

    --output-file='':
	log output to a file

    -t, --timeout=3m0s:
	timeout for commands

    -d, --verbose=false:
	log debug output

Additional help topics:
cosign piv-tool                This cosign was not built with piv-tool support!
cosign pkcs11-tool             This cosign was not built with pkcs11-tool support!

Use "cosign [command] --help" for more information about a command.

Updated on: 2024-Feb-16