Sign a container image after building it so consumers can verify it came from you and was not tampered with.
Set up keyless signing in a CI/CD pipeline using a GitHub or Google identity without managing private key files.
Verify the signature of a container image before pulling it into a production environment as a security check.
Sign and verify generic software release files and blobs beyond container images for supply chain auditability.
| sigstore/cosign | gorgonia/gorgonia | bwmarrin/discordgo | |
|---|---|---|---|
| Stars | 5,914 | 5,914 | 5,913 |
| Language | Go | Go | Go |
| Setup difficulty | moderate | hard | easy |
| Complexity | 3/5 | 4/5 | 2/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Keyless signing requires a browser login step through an identity provider, key-based signing requires configuring a key management service or generating a key pair first.
Cosign is a command-line tool for signing container images and other software artifacts, making it possible to verify that a piece of software has not been tampered with after it was published. It is part of the Sigstore project, a broader initiative to make software supply-chain security more accessible. The default signing method, called keyless signing, does not require you to manage a private key file. Instead, you log in with an email account (via Google, GitHub, or another identity provider), and Cosign requests a short-lived certificate from a certificate authority. The signature is then recorded in a public transparency log called Rekor, creating a permanent, auditable trail of who signed what and when. If you prefer to use your own keys, Cosign also supports traditional public/private key pairs, hardware security keys, and cloud-based key management services. To sign a container image, you run a single command with the image's digest (a unique fingerprint of the image content), and Cosign walks you through a browser-based login. To verify, you run another command that checks the signature against the transparency log. The tool also supports signing and verifying generic files and blobs beyond containers. Cosign is stable and actively maintained. Its ongoing development is shifting toward a related library called sigstore-go, which the Cosign tool is being rebuilt on top of. Binaries are available for Linux and macOS, and it can be installed via Homebrew, Nix, Arch Linux packages, or as a GitHub Actions step for use in automated pipelines. A Docker image is also provided for use inside container builds. The full README is longer than what was shown.
Cosign is a command-line tool for signing and verifying container images and software artifacts so you can prove a piece of software has not been tampered with after it was published.
Mainly Go. The stack also includes Go, Docker.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.