Specifications

cosign is inspired by tools like minisign and signify.

Signature Specifications

Specifications are maintained within the cosign repo and available here.

SBOM in OCI Specification

Cosign supports working with SBOMs (Software Bill Of Materials). Both formats such as SPDX, CycloneDX are supported.

The format for this is maintained within the cosign repo and available here.

In-Toto Attestation Predicate

Cosign supports working with In-Toto Attestations using the predicate model. Several well-known predicates are supported natively, but cosign also supports a simple, generic, format for data that doesn't fit well into other types.

The format for this is maintained within the cosign repo and available here.

Signature Payload Format

cosign only supports Red Hat's simple signing format for payloads.

That looks like:

{
    "critical": {
           "identity": {
               "docker-reference": "testing/manifest"
           },
           "image": {
               "Docker-manifest-digest": "sha256:20be...fe55"
           },
           "type": "cosign container image signature"
    },
    "optional": {
           "creator": "Bob the Builder",
           "timestamp": 1458239713
    }
}

Note: This can be generated for an image reference using cosign generate <image>.

Edit this page on GitHub Updated at Sat, May 21, 2022
Signing Other Types FAQ