Installation

With Go 1.19+

If you have Go 1.19+, you can directly install Cosign by downloading the Cosign binary and running:

go install github.com/sigstore/cosign/v2/cmd/cosign@latest

The resulting binary will be placed at $GOPATH/bin/cosign (or $GOBIN/cosign, if set).

With the Cosign binary or rpm/dpkg package

Check for the file in https://github.com/sigstore/cosign/releases

# binary
wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign-linux-amd64"
mv cosign-linux-amd64 /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign

# rpm
wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign-2.0.0.x86_64.rpm"
rpm -ivh cosign-2.0.0.x86_64.rpm

# dkpg
wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign_2.0.0_amd64.deb"
dpkg -i cosign_2.0.0_amd64.deb

Homebrew/Linuxbrew

If you are using Homebrew (or Linuxbrew), you can install Cosign by running:

brew install cosign

Arch Linux

If you are using Arch Linux, you can install Cosign by running:

pacman -S cosign

Alpine Linux

If you are using Alpine Linux edge, with the community repository enabled, you can install cosign by running:

apk add cosign

Nix

If you are using Nix, you can install Cosign by running:

nix-env -iA nixpkgs.cosign

NixOS

If you are on NixOS, you can install Cosign by running:

nix-env -iA nixos.cosign

GitHub Actions

Cosign can be installed in your GitHub Actions using the Cosign installer on the GitHub Marketplace.

uses: sigstore/cosign-installer@main
with:
  cosign-release: "v2.0.0" # optional

Container Images

Signed release images are available at gcr.io/projectsigstore/cosign. They are tagged with the release name (for example, gcr.io/projectsigstore/cosign:v2.0.0). They can be found with crane ls:

$ crane ls gcr.io/projectsigstore/cosign
sha256-7e9a6ca62c3b502a125754fbeb4cde2d37d4261a9c905359585bfc0a63ff17f4.sig
v0.4.0
...

CI Built containers are published for every commit at gcr.io/projectsigstore/cosign/ci/cosign. They are tagged with the commit. They can be found with crane ls:

$ crane ls gcr.io/projectsigstore/cosign/ci/cosign
749f896
749f896bb378aca5cb45c5154fc0cb43f6728d48

Further details and installation instructions for crane are available via https://github.com/google/go-containerregistry/tree/main/cmd/crane

Downloading The Update Framework (TUF) client

Before using cosign, you will need to download and also initialize the TUF environment which allows you to ensure that your software artifacts are distributed securely and that any updates to these artifacts are signed and verified being installed.

To do this, install and use go-tuf's CLI tools:

$ go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest

Then, obtain trusted root keys for Sigstore. You will use the 5th iteration of Sigstore's TUF root to start the root of trust, due to a backward incompatible change.

curl -o sigstore-root.json https://raw.githubusercontent.com/sigstore/root-signing/main/ceremony/2022-10-18/repository/5.root.json

Initializing TUF Environment

Then initialize the tuf client with the previously obtained root key and the remote repository;

$ tuf-client init https://tuf-repo-cdn.sigstore.dev sigstore-root.json

Verifying Cosign Releases

Before using a downloaded Cosign binary, it's important to verify its authenticity to ensure that it hasn't been tampered with. The Cosign binary is signed both with keyless signing and an artifact key. You first need to verify Cosign with the artifact key, since you will need Cosign to verify the keyless signature.

tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > artifact.pub

curl -o cosign-release.sig -L https://github.com/sigstore/cosign/releases/download/<version>/cosign-<os>.sig
base64 -d cosign-release.sig > cosign-release.sig.decoded

curl -o cosign -L https://github.com/sigstore/cosign/releases/download/<version>/cosign-<os>

openssl dgst -sha256 -verify artifact.pub -signature cosign-release.sig.decoded cosign

The <version>and <os> placeholders in the URLs should be replaced with the specific version and operating system that you want to download.

Releases

Releases are published in the Cosign repository under the Releases page, and hosted in the GCS bucket cosign-releases.

They can be reviewed with gsutil:

$ gsutil ls gs://cosign-releases/v2.0.0
gs://cosign-releases/v2.0.0/cosign-darwin-amd64
gs://cosign-releases/v2.0.0/cosign-darwin-amd64.sig
gs://cosign-releases/v2.0.0/cosign-darwin-arm64
gs://cosign-releases/v2.0.0/cosign-darwin-arm64.sig
gs://cosign-releases/v2.0.0/cosign-linux-amd64
gs://cosign-releases/v2.0.0/cosign-linux-amd64.sig
gs://cosign-releases/v2.0.0/cosign-windows-amd64.exe
gs://cosign-releases/v2.0.0/cosign-windows-amd64.exe.sig
gs://cosign-releases/v2.0.0/cosign_checksums.txt
gs://cosign-releases/v2.0.0/release-cosign.pub