Cosign
Last updated
Last updated
# dkpg
LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ")
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_VERSION}_amd64.deb"
sudo dpkg -i cosign_${LATEST_VERSION}_amd64.deb
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 153k 0 153k 0 0 385k 0 --:--:-- --:--:-- --:--:-- 384k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 58.8M 100 58.8M 0 0 22.9M 0 0:00:02 0:00:02 --:--:-- 34.3M
[sudo] password for marcelo:
Selecting previously unselected package cosign.
(Reading database ... 61270 files and directories currently installed.)
Preparing to unpack cosign_3.0.2_amd64.deb ...
Unpacking cosign (3.0.2) ...
Setting up cosign (3.0.2) ...$ cosign
A tool for Container Signing, Verification and Storage in an OCI registry.
Usage:
cosign [command]
Available Commands:
attach Provides utilities for attaching artifacts to other artifacts in a registry
attest Attest the supplied container image.
attest-blob Attest the supplied blob.
bundle Interact with a Sigstore protobuf bundle
clean Remove all signatures from an image.
completion Generate completion script
copy Copy the supplied container image and signatures.
dockerfile Provides utilities for discovering images in and performing operations on Dockerfiles
download Provides utilities for downloading artifacts and attached artifacts in a registry
env Prints Cosign environment variables
generate Generates (unsigned) signature payloads from the supplied container image.
generate-key-pair Generates a key-pair.
help Help about any command
import-key-pair Imports a PEM-encoded RSA or EC private key.
initialize Initializes SigStore root to retrieve trusted certificate and key targets for verification.
load Load a signed image on disk to a remote registry
login Log in to a registry
manifest Provides utilities for discovering images in and performing operations on Kubernetes manifests
public-key Gets a public key from the key-pair.
save Save the container image and associated signatures to disk at the specified directory.
sign Sign the supplied container image.
sign-blob Sign the supplied blob, outputting the base64-encoded signature to stdout.
signing-config Interact with a Sigstore protobuf signing config
tree Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations
triangulate Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type.
trusted-root Interact with a Sigstore protobuf trusted root
upload Provides utilities for uploading artifacts to a registry
verify Verify a signature on the supplied container image
verify-attestation Verify an attestation on the supplied container image
verify-blob Verify a signature on the supplied blob
verify-blob-attestation Verify an attestation on the supplied blob
version Prints the version
Flags:
-h, --help=false:
help for cosign
--output-file='':
log output to a file
-t, --timeout=3m0s:
timeout for commands
-d, --verbose=false:
log debug output
Additional help topics:
cosign piv-tool This cosign was not built with piv-tool support!
cosign pkcs11-tool This cosign was not built with pkcs11-tool support!
Use "cosign [command] --help" for more information about a command.