Inferensys

Glossary

Cosign

Cosign is a command-line tool under the Sigstore project that cryptographically signs container images and OCI artifacts, storing the signature alongside the artifact in a registry for verification.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
CONTAINER IMAGE SIGNING

What is Cosign?

Cosign is a tool under the Sigstore project that cryptographically signs container images and OCI artifacts, generating a signature stored alongside the image in the registry for verification.

Cosign is a command-line utility that performs keyless signing of software artifacts using OpenID Connect identities, eliminating the need to manage long-lived private keys. It signs container images by generating a digital signature and publishing it as an OCI artifact in the same repository, enabling seamless verification within existing container registries.

The tool supports multiple signing modes, including key-based signing with managed key pairs and keyless signing via the Fulcio certificate authority. Cosign also handles image attestations, allowing developers to cryptographically bind SBOMs and vulnerability scan results to specific image digests, ensuring supply chain integrity before deployment.

KEYLESS SIGNING

Core Features of Cosign

Cosign is a core component of the Sigstore project, providing a streamlined mechanism for signing and verifying OCI artifacts. It eliminates the burden of long-term key management by leveraging short-lived ephemeral keys and OpenID Connect identities.

COSIGN

Frequently Asked Questions

Clear answers to the most common technical questions about using Cosign for keyless container image signing, verification, and supply chain security within private registries.

Cosign is a command-line tool under the open-source Sigstore project that cryptographically signs container images and OCI artifacts, storing the generated signature alongside the artifact in a compatible registry. It works by generating a digital signature over an image's digest—a unique, content-addressable SHA256 hash—rather than a mutable tag, ensuring the signature is tied to an immutable version of the software. Cosign supports both traditional long-lived key pairs and keyless signing, which leverages OpenID Connect (OIDC) identities to bind a signature to an email address or machine identity without managing private keys. The signature is stored as a separate OCI object in the same repository, typically tagged with a .sig suffix, allowing verification tools to locate and validate it using the original image digest.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.