Installation

With Go 1.17+

If you have Go 1.17+, you can directly install Cosign by running:

go install github.com/sigstore/cosign/cmd/cosign@latest

The resulting binary will be placed at $GOPATH/bin/cosign (or $GOBIN/cosign, if set).

With the Cosign binary or rpm/dpkg package

Check for the file in https://github.com/sigstore/cosign/releases

# binary
wget "https://github.com/sigstore/cosign/releases/download/v1.6.0/cosign-linux-amd64"
mv cosign-linux-amd64 /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign

# rpm
wget "https://github.com/sigstore/cosign/releases/download/v1.6.0/cosign-1.6.0.x86_64.rpm"
rpm -ivh cosign-1.6.0.x86_64.rpm

# dkpg
wget "https://github.com/sigstore/cosign/releases/download/v1.6.0/cosign_1.6.0_amd64.deb"
dpkg -i "cosign_1.6.0_amd64.deb

Homebrew/Linuxbrew

If you are using Homebrew (or Linuxbrew), you can install Cosign by running:

brew install cosign

Arch Linux

If you are using Arch Linux, you can install Cosign by running:

pacman -S cosign

Alpine Linux

If you are using Alpine Linux edge, with the community repository enabled, you can install cosign by running:

apk add cosign

The sget tool is also available:

apk add sget

Nix

If you are using Nix, you can install Cosign by running:

nix-env -iA nixpkgs.cosign

NixOS

If you are on NixOS, you can install Cosign by running:

nix-env -iA nixos.cosign

GitHub Actions

Cosign can be installed in your GitHub Actions using the Cosign installer on the GitHub Marketplace.

uses: sigstore/cosign-installer@main
with:
  cosign-release: 'v1.2.1' # optional

Container Images

Signed release images are available at gcr.io/projectsigstore/cosign. They are tagged with the release name (for example, gcr.io/projectsigstore/cosign:v1.0.0). They can be found with crane ls:

$ crane ls gcr.io/projectsigstore/cosign
sha256-7e9a6ca62c3b502a125754fbeb4cde2d37d4261a9c905359585bfc0a63ff17f4.sig
v0.4.0
...

CI Built containers are published for every commit at gcr.io/projectsigstore/cosign/ci/cosign. They are tagged with the commit. They can be found with crane ls:

$ crane ls gcr.io/projectsigstore/cosign/ci/cosign
749f896
749f896bb378aca5cb45c5154fc0cb43f6728d48

Further details and installation instructions for crane available via https://github.com/google/go-containerregistry/tree/main/cmd/crane

Releases

Releases are published in the Cosign repository under the Releases page, and hosted in the GCS bucket cosign-releases.

They can be reviewed with gsutil:

$ gsutil ls gs://cosign-releases/v1.0.0
gs://cosign-releases/v1.0.0/cosign-darwin-amd64
gs://cosign-releases/v1.0.0/cosign-darwin-amd64.sig
gs://cosign-releases/v1.0.0/cosign-darwin-arm64
gs://cosign-releases/v1.0.0/cosign-darwin-arm64.sig
gs://cosign-releases/v1.0.0/cosign-linux-amd64
gs://cosign-releases/v1.0.0/cosign-linux-amd64.sig
gs://cosign-releases/v1.0.0/cosign-windows-amd64.exe
gs://cosign-releases/v1.0.0/cosign-windows-amd64.exe.sig
gs://cosign-releases/v1.0.0/cosign_checksums.txt
gs://cosign-releases/v1.0.0/release-cosign.pub
Edit this page on GitHub Updated at Tue, Oct 4, 2022