Cosign 容器签名

发布时间: 更新时间: 总字数:618 阅读时间:2m 作者: IP上海 分享 网址

Cosign用来为容器签名(Signing)、验证(Verification)和在 OCI Registry 存储




  • go 安装
go install
  • binary
wget ""
mv cosign-linux-amd64 /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign


# rpm
wget ""
rpm -ivh cosign-1.6.0.x86_64.rpm


# dkpg
wget ""
dpkg -i cosign_1.6.0_amd64.deb


brew install cosign


$ cosign --help
A tool for Container Signing, Verification and Storage in an OCI registry.

  cosign [command]

Available Commands:
  attach             Provides utilities for attaching artifacts to other artifacts in a registry
  attest             Attest the supplied container image.
  clean              Remove all signatures from an image.
  completion         Generate completion script
  copy               Copy the supplied container image and signatures.
  dockerfile         Provides utilities for discovering images in and performing operations on Dockerfiles
  download           Provides utilities for downloading artifacts and attached artifacts in a registry
  env                Prints Cosign environment variables
  generate           Generates (unsigned) signature payloads from the supplied container image.
  generate-key-pair  Generates a key-pair.
  help               Help about any command
  import-key-pair    Imports a PEM-encoded RSA or EC private key.
  initialize         Initializes SigStore root to retrieve trusted certificate and key targets for verification.
  load               Load a signed image on disk to a remote registry
  login              Log in to a registry
  manifest           Provides utilities for discovering images in and performing operations on Kubernetes manifests
  policy             subcommand to manage a keyless policy.
  public-key         Gets a public key from the key-pair.
  save               Save the container image and associated signatures to disk at the specified directory.
  sign               Sign the supplied container image.
  sign-blob          Sign the supplied blob, outputting the base64-encoded signature to stdout.
  tree               Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations
  triangulate        Outputs the located cosign image reference. This is the location cosign stores the specified artifact type.
  upload             Provides utilities for uploading artifacts to a registry
  verify             Verify a signature on the supplied container image
  verify-attestation Verify an attestation on the supplied container image
  verify-blob        Verify a signature on the supplied blob
  version            Prints the version

  -h, --help                 help for cosign
      --output-file string   log output to a file
  -t, --timeout duration     timeout for commands (default 3m0s)
  -d, --verbose              log debug output

Additional help topics:
  cosign piv-tool           This cosign was not built with piv-tool support!
  cosign pkcs11-tool        This cosign was not built with pkcs11-tool support!

Use "cosign [command] --help" for more information about a command.


Generate a keypair

$ cosign generate-key-pair
Enter password for private key:
Enter password for private key again:
Private key written to cosign.key
Public key written to

Sign a container and store the signature in the registry

$ cosign sign --key cosign.key xiexianbin/nettools:1
Enter password for private key:
Pushing signature to:

Verify a container against a public key

$ cosign verify --key | jq .

Verification for --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
    "critical": {
      "identity": {
        "docker-reference": ""
      "image": {
        "docker-manifest-digest": "sha256:aac519b2ee85b092f729185c267357f97f298783ce2f698a383607fab4155cbf"
      "type": "cosign container image signature"
    "optional": null


  • 也可以支持其他 Artifacts 的签名 cosign sign-blob
  • cosign 支持和 KMS 以前签署和验证,如 Hashicorp Vault
  • 类似的工具
    • Sigstore 容器和二进制文件的代码签名


Home Archives Categories Tags Statistics
本文总阅读量 次 本站总访问量 次 本站总访客数