Question 1

How do I sign a Docker image with Cosign without managing keys?

Accepted Answer

Use the default keyless signing by running 'cosign sign $IMAGE', which authenticates via OIDC (e.g., with your email), requests a certificate from Fulcio, logs to Rekor, and stores the signature in the registry. Always sign by digest to avoid tag mismatches.

Question 2

Cosign vs Notary v2: which is better for container signing?

Accepted Answer

Cosign is simpler and integrates with Sigstore for keyless signing, making it ideal for teams wanting to avoid key management. Notary v2 offers more complex trust models and features; Cosign's README links to a blog post comparing them for detailed insights.

Question 3

Can Cosign sign artifacts without uploading to a registry?

Accepted Answer

Cosign is designed for OCI registry storage; for local signing without a registry, you might need to simulate a registry or use alternative tools, as it relies on registry APIs for signature storage and retrieval.

Question 4

How to verify Cosign signatures in Kubernetes?

Accepted Answer

Integrate Cosign with admission controllers like Kyverno or Gatekeeper to verify signatures during pod deployment. You'll need to configure policies that run 'cosign verify' commands against images, often using the expected certificate identity or public keys.

Question 5

Does Cosign support PGP keys for signing?

Accepted Answer

No, Cosign intentionally uses ECDSA-P256 keys and a different payload format compared to PGP. It focuses on modern cryptographic standards and registry integration, though you can store any signature format in a registry with Cosign.

Question 6

What KMS providers does Cosign work with?

Accepted Answer

Cosign supports HashiCorp Vault, AWS KMS, GCP KMS, and Azure Key Vault for signing, as listed in the README. This allows secure key management without storing private keys locally, but setup may vary by provider.

Cosign

What is Cosign?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions