Skip to main content

Signing images

You can sign images and verify signatures with cosign.

To install cosign on a Mac or Linux system:

brew install cosign


Since cosign uses docker under the hood, you have to sign in to the registry using docker. Use your GitHub personal access token (PAT) as your password.

$ docker login -u <GitHub-account>
Login Succeeded

Initialize cosign

Initialize cosign and create a key pair:

$ cosign initialize
$ cosign generate-key-pair
cosign generate-key-pair
Enter password for private key: Enter again:
Private key written to cosign.key
Public key written to

Signing an image


You can only sign images that have been pushed to an OCI-compliant registry. If you haven't yet, issue a policy push on your policy image before signing it.

Sign the container image using the private key:

$ cosign sign --key cosign.key
Enter password for private key: Pushing signature to:

Verifying the signature

Verify the signature using the public key:

$ cosign verify --key

Verification for --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:05e6ed84d86f6a252e24f33cb12138d9193780f1d89a1b2ff14ced315fdf8481"},"type":"cosign container image signature"},"optional":null}]