Registry Support

Cosign uses go-containerregistry for registry interactions, which has generally excellent compatibility, but some registries may have quirks.

Today, Cosign has been tested and works against the following registries:

  • AWS Elastic Container Registry
  • GCP’s Artifact Registry and Container Registry
  • Docker Hub
  • Azure Container Registry
  • JFrog Artifactory Container Registry
  • The CNCF distribution/distribution Registry
  • GitLab Container Registry
  • GitHub Container Registry
  • The CNCF Harbor Registry
  • Digital Ocean Container Registry
  • Sonatype Nexus Container Registry
  • Alibaba Cloud Container Registry
  • Quay.io and Project Quay Container Registry

We aim for wide registry support. To sign images in registries which do not yet fully support OCI media types, one may need to use COSIGN_DOCKER_MEDIA_TYPES to fall back to legacy equivalents. For example:

COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --key cosign.key legacy-registry.example.com/my/image

Please help test and file bugs if you see issues! Instructions can be found in the tracking issue.

Rekor support

Note: this is an experimental feature

To publish signed artifacts to a Rekor transparency log and verify their existence in the log set the COSIGN_EXPERIMENTAL=1 environment variable.

COSIGN_EXPERIMENTAL=1 cosign sign --key cosign.key user/demo
COSIGN_EXPERIMENTAL=1 cosign verify --key cosign.pub user/demo

Cosign defaults to using the public instance of rekor at rekor.sigstore.dev. To configure the rekor server, use the -rekor-url flag

Registry details

Cosign signatures are stored as separate objects in the OCI registry, with only a weak reference back to the object they “sign”. This means this relationship is opaque to the registry, and signatures will not be deleted or garbage-collected when the image is deleted. Similarly, they can easily be copied from one environment to another, but this is not automatic.

Multiple signatures are stored in a list which is unfortunately “racy” today. To add a signature, clients orchestrate a “read-append-write” operation, so the last write will win in the case of contention.

Specifying registry

Cosign will default to storing signatures in the same repo as the image it is signing. To specify a different repo for signatures, you can set the COSIGN_REPOSITORY environment variable.

This will replace the repo in the provided image:

export COSIGN_REPOSITORY=gcr.io/my-new-repo
gcr.io/user-vmtest2/demo -> gcr.io/my-new-repo/demo:sha256-DIGEST.sig

So the signature for gcr.io/user-vmtest2/demo will be stored in gcr.io/my-new-repo/demo:sha256-DIGEST.sig.

Edit this page on GitHub
← Public Deployment
Specifications →