Specifications

cosign is inspired by tools like minisign and signify.

Signature Specifications

Specifications are maintained within the cosign repo and available in SIGNATURE_SPEC.md.

SBOM in OCI Specification

Cosign supports working with SBOMs (Software Bill Of Materials). Both formats such as SPDX, CycloneDX are supported.

The format for this is maintained within the cosign repo and available SBOM_SPEC.md.

In-Toto Attestation Predicate

Cosign supports working with In-Toto Attestations using the predicate model. Several well-known predicates are supported natively, but cosign also supports a simple, generic, format for data that doesn't fit well into other types.

The format for this is maintained within the cosign repo and available COSIGN_PREDICATE_SPEC.md.

Signature Payload Format

cosign only supports Red Hat's simple signing format for payloads.

That looks like:

{
    "critical": {
           "identity": {
               "docker-reference": "testing/manifest"
           },
           "image": {
               "Docker-manifest-digest": "sha256:20be...fe55"
           },
           "type": "cosign container image signature"
    },
    "optional": {
           "creator": "Bob the Builder",
           "timestamp": 1458239713
    }
}

Note: This can be generated for an image reference using cosign generate <image>.

Edit this page on GitHub Updated at Mon, Nov 28, 2022