Signing Blobs

You can use Cosign for signing and verifying standard files and blobs (or binary large objects), in addition to containers. This topic discusses signing blobs/files. For information on verifying, see Verifying Signatures.

Keyless signing of blobs and files

Cosign supports identity-based signing, associating an ephemeral signing key with an identity from an OpenID Connect provider. We refer to this process as “keyless signing”. You use cosign sign-blob to sign standard files as well as blobs. You can store signature and certificate information either as separate file, or in a bundled text file, but using a bundle is the recommended way of signing a blob, as users can specify just the bundle name instead of separate files for the signature and certificate. Use the cosign command to sign:

$ cosign sign-blob <file> --bundle cosign.bundle

The bundle is output as a base64 encoded string that contains the certificate and signature. In addition, signatures are output as base64 encoded strings to stdout by default.

When using cosign sign-blob in keyless mode, you need to store the bundle for verification. If you don’t want to use the bundle, you can direct the output of the certificate by using the --output-certificate and --output-signature flags. The result from using the output flags:

$ cosign sign-blob --output-certificate cert.pem --output-signature sig
Using payload from:
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
Successfully verified SCT...
using ephemeral certificate:

tlog entry created with index: 965333
Signature wrote in the file sig
Certificate wrote in the file cert.pem

Signing with a key

While keyless signing is recommended, you may specify your own keys for signing. You will need the password for the private key to sign:

$ cosign sign-blob --key cosign.key
Using payload from:
Enter password for private key:

This supports all the same flags and features as cosign sign, including KMS support, hardware tokens, and keyless signatures. See Signing with Self-Managed Keys for more information.

Blobs in OCI Registries

You can upload blobs to an OCI registry (similar to ORAS where they can then be signed like any other image.

You can publish an artifact with cosign upload blob:

$ echo "my first artifact" > artifact
$ cosign upload blob -f artifact
Uploading file from [artifact] to [] with media type [text/plain; charset=utf-8]
File is available directly at []

Your users can download it from the “direct” URL with standard tools like curl or wget:

$ curl -L > artifact

The digest is included in the URL, so users can check that as well:

$ curl -L | shasum -a 256
97f16c28f6478f3c02d7fff4c7f3c2a30041b72eb6852ca85b919fd85534ed4b  -

You can sign it with the normal cosign sign command and flags:

$ cosign sign

Non-Interactive Signing with the Yes Flag

In situations where automated signing is required, such as within CI/CD pipelines, the --yes flag becomes essential. This flag, when used with signing commands, bypasses any confirmation prompts, enabling a smooth, uninterrupted signing process. This is particularly crucial in automated environments where manual input isn’t feasible. The --yes flag ensures that your signing operations can proceed without manual intervention, maintaining the efficiency and speed of your automated workflows.

cosign sign-blob --yes -key cosign.key myregistry/myimage:latest