Specifications
cosign
is inspired by tools like minisign and
signify.
Signature Specifications
Specifications are maintained within the cosign
repo and available here.
SBOM in OCI Specification
Cosign
supports working with SBOMs (Software Bill Of Materials). Both formats such as SPDX, CycloneDX are supported.
The format for this is maintained within the cosign
repo and available here.
In-Toto Attestation Predicate
Cosign
supports working with In-Toto Attestations using the predicate model.
Several well-known predicates are supported natively, but cosign
also supports a simple, generic, format for data that
doesn't fit well into other types.
The format for this is maintained within the cosign
repo and available here.
Signature Payload Format
cosign
only supports Red Hat's simple signing
format for payloads.
That looks like:
{
"critical": {
"identity": {
"docker-reference": "testing/manifest"
},
"image": {
"Docker-manifest-digest": "sha256:20be...fe55"
},
"type": "cosign container image signature"
},
"optional": {
"creator": "Bob the Builder",
"timestamp": 1458239713
}
}
Note: This can be generated for an image reference using cosign generate <image>
.