Back to docs
Recipe

Recipe: Signed container images (cosign)

Sign your container images with cosign and enforce signature verification in your CI/CD pipeline before deployment.

Prerequisites

  • cosign CLI installed (v2.2+)
  • OIDC provider configured (GitHub Actions, GCP, SPIFFE)
  • Container registry with signing support

Step 1 — Generate key pair

cosign generate-key-pair

Stores cosign.key and cosign.pub in the current directory. Protect the private key.

Step 2 — Sign the image

cosign sign --key cosign.key ghcr.io/org/image:tag

Pushes a signature object alongside the image in the registry.

Step 3 — Verify before deploy

cosign verify --key cosign.pub ghcr.io/org/image:tag

Fails non-zero if the signature is missing or invalid. Gate deployments on this check.

Keyless mode (OIDC)

cosign sign ghcr.io/org/image:tag

Uses the ambient OIDC token from your CI runner. No long-lived key material to manage.

Next: Recipe: SBOM generation with syft