Skip to main content

Signing images

You can sign images and verify signatures with cosign.

To install cosign on a Mac or Linux system:

brew install cosign


Since cosign uses docker under the hood, you have to sign in to your registry using docker. For example, to use, use your GitHub personal access token (PAT) as your password.

$ echo $PAT | docker login -u <GitHub-account> --password-stdin
Login Succeeded

Initialize cosign

Initialize cosign and create a key pair:

$ cosign initialize
$ cosign generate-key-pair
cosign generate-key-pair
Enter password for private key: Enter again:
Private key written to cosign.key
Public key written to

Signing an image


You can only sign images that have been pushed to an OCI-compliant registry. If you haven't yet, issue a policy push on your policy image before signing it.

Sign the container image using the private key:

$ cosign sign --key cosign.key
Enter password for private key: Pushing signature to:

Verifying the signature

Verify the signature using the public key:

$ cosign verify --key

Verification for --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:05e6ed84d86f6a252e24f33cb12138d9193780f1d89a1b2ff14ced315fdf8481"},"type":"cosign container image signature"},"optional":null}]