Signing with Self-Managed Keys

To generate a key pair in Cosign, run cosign generate-key-pair. You’ll be interactively prompted to provide a password.

$ cosign generate-key-pair
Enter password for private key:
Enter again:
Private key written to cosign.key
Public key written to

Alternatively, you can use the COSIGN_PASSWORD environment variable to provide one.

Note: Cosign supports RSA, ECDSA, and ED25519 keys. For RSA, Cosign only supports RSA PKCS#1.5 padded keys.

Key generation and management

To generate keys using a KMS provider, you can use the cosign generate-key-pair command with the --kms flag.

cosign generate-key-pair --kms <some provider>://<some key>

Read more about this in the key management overview.

The public key can be retrieved with:

$ cosign public-key --key <some provider>://<some key>
-----END PUBLIC KEY-----

Signing with a local key pair

This section shows traditional key signing from a key pair:

$ cosign sign --key cosign.key user/demo
Enter password for private key:
Pushing signature to: