cosign

brew install cosign v3.1.1 Apache-2.0

Go command-line tool for signing and verifying OCI container images using Sigstore's keyless infrastructure.

Why you might care

Cosign simplifies container supply-chain security by enabling keyless signing (via Fulcio CA and Rekor transparency log) without managing private keys locally. It integrates with container registries for signature storage/verification and supports hardware KMS and traditional keypairs, making it essential for DevSecOps pipelines and signed artifact distribution.

Alternatives

notary skopeo

4.2k

30-day installs · #685

13.8k

90-day · #677

54.0k

365-day · #645

6.0k

★ GitHub stars · updated 2d ago

Build dependencies

Links

https://github.com/sigstore/cosign
GitHub: sigstore/cosign
Brew formula source: Formula/c/cosign.rb

Blurb generated by claude-haiku-4-5 on today.

Raw metadata

{
  "aliases": [],
  "alternatives": [
    "notary",
    "skopeo"
  ],
  "build_dependencies": [
    "go"
  ],
  "categories": [
    "container-runtime",
    "security",
    "cryptography"
  ],
  "caveats": null,
  "conflicts_with": [],
  "dependencies": [],
  "deprecated": 0,
  "deprecation_reason": null,
  "desc": "Container Signing",
  "disable_reason": null,
  "disabled": 0,
  "enrichment_fetched_at": "2026-06-20T23:36:37+00:00",
  "first_seen": "2026-06-20T23:34:18+00:00",
  "full_name": "cosign",
  "github_default_branch": "main",
  "github_last_commit_at": "2026-06-18T18:14:56Z",
  "github_readme_excerpt": "\u003cp align=\"center\"\u003e\n  \u003cimg style=\"max-width: 100%;width: 300px;\" src=\"https://raw.githubusercontent.com/sigstore/community/main/artwork/cosign/horizontal/color/sigstore_cosign-horizontal-color.svg\" alt=\"Cosign logo\"/\u003e\n\u003c/p\u003e\n\n# cosign\n\nSigning OCI containers (and other artifacts) using [Sigstore](https://sigstore.dev/)!\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/sigstore/cosign)](https://goreportcard.com/report/github.com/sigstore/cosign)\n[![e2e-tests](https://github.com/sigstore/cosign/actions/workflows/e2e-tests.yml/badge.svg)](https://github.com/sigstore/cosign/actions/workflows/e2e-tests.yml)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5715/badge)](https://bestpractices.coreinfrastructure.org/projects/5715)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/cosign/badge)](https://securityscorecards.dev/viewer/?uri=github.com/sigstore/cosign)\n\nCosign aims to make signatures **invisible infrastructure**.\n\nCosign supports:\n\n* \"Keyless signing\" with the Sigstore public good Fulcio certificate authority and Rekor transparency log (default)\n* Hardware and KMS signing\n* Signing with a cosign generated encrypted private/public keypair\n* Container Signing, Verification and Storage in an OCI registry.\n* Bring-your-own PKI\n\n## Info\n\n`Cosign` is developed as part of the [`sigstore`](https://sigstore.dev) project.\nWe also use a [slack channel](https://sigstore.slack.com)!\nClick [here](https://join.slack.com/t/sigstore/shared_invite/zt-2ub0ztl5z-PkWb_Ldwef5d6nb~oryaTA) for the invite link.\n\n## Installation\n\nFor Homebrew, Arch, Nix, GitHub Action, and Kubernetes installs see the [installation docs](https://docs.sigstore.dev/cosign/system_config/installation/).\n\nFor Linux and macOS binaries see the [GitHub release assets](https://github.com/sigstore/cosign/releases/latest).\n\n:rotating_light: If you are downloading releases of cosign from our GCS bucket - please see more information on the July 3",
  "github_repo": "sigstore/cosign",
  "github_stars": 6047,
  "github_topics": [],
  "homepage": "https://github.com/sigstore/cosign",
  "homepage_og_description": null,
  "homepage_og_image": null,
  "homepage_title": null,
  "installs_30d": 4176,
  "installs_365d": 54031,
  "installs_90d": 13847,
  "keg_only": 0,
  "keg_only_reason": null,
  "last_seen": "2026-06-20T23:34:18+00:00",
  "license": "Apache-2.0",
  "llm_generated_at": "2026-06-20T23:46:23+00:00",
  "llm_model": "claude-haiku-4-5",
  "name": "cosign",
  "oldnames": [],
  "one_liner": "Go command-line tool for signing and verifying OCI container images using Sigstore\u0027s keyless infrastructure.",
  "optional_dependencies": [],
  "rank_30d": 685,
  "rank_365d": 645,
  "rank_90d": 677,
  "raw_hash": "a6e080fdb99dd8d5",
  "recommended_dependencies": [],
  "revision": 0,
  "ruby_source_path": "Formula/c/cosign.rb",
  "tap": "homebrew/core",
  "test_dependencies": [],
  "uses_from_macos": [],
  "version_head": "HEAD",
  "version_stable": "3.1.1",
  "versioned_formulae": [],
  "why_use_this": "Cosign simplifies container supply-chain security by enabling keyless signing (via Fulcio CA and Rekor transparency log) without managing private keys locally. It integrates with container registries for signature storage/verification and supports hardware KMS and traditional keypairs, making it essential for DevSecOps pipelines and signed artifact distribution."
}

cosign

Why you might care

Categories

Alternatives

Build dependencies

Links