cosign
« Back to VersTracker
Description:
Container Signing
Type: Formula  |  Latest Version: 3.0.3@0  |  Tracked Since: Dec 17, 2025
Links: Homepage  |  @sigstore  |  formulae.brew.sh
Category: Security
Tags: security signing containers kubernetes sigstore supply-chain
Install: brew install cosign
About:
Cosign is a tool for signing and verifying container images and other artifacts to ensure supply chain security. It integrates with the Sigstore public good instance for transparent signing and key management. This enables developers to cryptographically prove the origin and integrity of their software artifacts.
Key Features:
  • Keyless signing using OIDC identity
  • Support for OCI registry artifacts (images, SBOMs, etc.)
  • Signature verification in Kubernetes
  • Bring-your-own-key (BYOK) support
  • Integration with Sigstore's Rekor transparency log
Use Cases:
  • Enforcing image signature policies in Kubernetes clusters
  • Verifying software supply chain integrity in CI/CD pipelines
  • Signing and distributing SBOMs alongside container images
Alternatives:
  • Notary v2 – CNCF project focused on OCI artifacts; integrates deeply with registries, whereas Cosign is registry-agnostic and emphasizes keyless signing.
Version History
Detected Version Rev Change Commit
Oct 9, 2025 11:03am 0 VERSION_BUMP 902e5724
Sep 14, 2025 1:31am 0 VERSION_BUMP 3ad46dfc
« Back to VersTracker  |  Browse Packages  |  About