# Install cosign

Container Signing. Version 3.1.1 via Homebrew; verified 2026-06-09.

## Install

```sh
sudo av install brew:cosign
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install cosign
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install cosign
```

  Evidence: MacPorts ports tree: security/cosign/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add cosign
```

  Evidence: Alpine Linux edge package indexes: cosign from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install cosign
```

  Evidence: Debian stable package indexes: cosign from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- Nix (92%):

```sh
nix profile install nixpkgs#cosign
```

  Evidence: nixpkgs package indexes: pkgs/by-name/co/cosign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S cosign
```

  Evidence: Arch Linux sync databases: cosign from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install cosign
```

  Evidence: openSUSE Tumbleweed package metadata: cosign from https://download.opensuse.org/tumbleweed/repo/oss/repodata/155b97171d05e27afd950b6fe0d55513ff38f4597110664535bceedc680bbe6fd459f0733718dcc21dcf0efc7c8250fd1390c73d4790b42e62fb2c16a87242e5-primary.xml.zst

### Windows

- Scoop (92%):

```sh
scoop install main/cosign
```

  Evidence: Scoop official bucket manifest trees: bucket/cosign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id Sigstore.Cosign -e
```

  Evidence: Windows Package Manager source index: Sigstore.Cosign from https://cdn.winget.microsoft.com/cache/source.msix

## Package Facts

- **Package key:** brew:cosign
- **Package manager:** Homebrew
- **Package manager URL:** <https://formulae.brew.sh/formula/cosign>
- **Version:** 3.1.1
- **Source summary:** Container Signing
- **Homepage:** <https://github.com/sigstore/cosign>
- **Repository:** <https://github.com/sigstore/cosign>
- **Upstream docs:** <https://docs.sigstore.dev/cosign>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/sigstore/cosign.git>
- **Last updated:** 2026-06-09T18:09:12Z
- **Generated:** 2026-06-10T07:18:26+00:00

## Executables

- cosign (cli)
- cosign (alias)

## Build Dependencies

- go

## Install Behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-06-10
- Package-manager version: 3.1.1
- Package-manager updated: 2026-06-09
- Local data status: ok
- Upstream repository: https://github.com/sigstore/cosign
- info: No cached GitHub release or tag data was available.

## Sicherheitshinweise

infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- infrastructure mutation or orchestration signal

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** cosign
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - cosign - 2.5.0-2+b4: normalized package name match | Debian stable package indexes: cosign from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Code signing/transparency for containers and binaries (program) | https://github.com/sigstore/cosign
- Debian apt - golang-github-sigstore-cosign-dev - 2.5.0-2: normalized package name match | Debian stable package indexes: golang-github-sigstore-cosign-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Code signing/transparency for containers and binaries (library) | https://github.com/sigstore/cosign
- Nix - cosign: normalized package name match | nixpkgs package indexes: pkgs/by-name/co/cosign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - cosign - 3.0.6-r1: normalized package name match | Alpine Linux edge package indexes: cosign from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | container signing tool with support for ephemeral keys and Sigstore signing | https://github.com/sigstore/cosign
- apk - cosign-bash-completion - 3.0.6-r1: normalized package name match | Alpine Linux edge package indexes: cosign-bash-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Bash completions for cosign | https://github.com/sigstore/cosign
- apk - cosign-fish-completion - 3.0.6-r1: normalized package name match | Alpine Linux edge package indexes: cosign-fish-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Fish completions for cosign | https://github.com/sigstore/cosign
- apk - cosign-zsh-completion - 3.0.6-r1: normalized package name match | Alpine Linux edge package indexes: cosign-zsh-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Zsh completions for cosign | https://github.com/sigstore/cosign
- pacman - cosign - 3.0.6-1: normalized package name match | Arch Linux sync databases: cosign from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Container Signing with support for ephemeral keys and Sigstore signing | https://github.com/sigstore/cosign
- zypper - cosign - 3.0.6-1.1: normalized package name match | openSUSE Tumbleweed package metadata: cosign from https://download.opensuse.org/tumbleweed/repo/oss/repodata/155b97171d05e27afd950b6fe0d55513ff38f4597110664535bceedc680bbe6fd459f0733718dcc21dcf0efc7c8250fd1390c73d4790b42e62fb2c16a87242e5-primary.xml.zst | Container Signing, Verification and Storage in an OCI registry | https://github.com/sigstore/cosign
- zypper - cosign-bash-completion - 3.0.6-1.1: normalized package name match | openSUSE Tumbleweed package metadata: cosign-bash-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/155b97171d05e27afd950b6fe0d55513ff38f4597110664535bceedc680bbe6fd459f0733718dcc21dcf0efc7c8250fd1390c73d4790b42e62fb2c16a87242e5-primary.xml.zst | Bash Completion for cosign | https://github.com/sigstore/cosign
- zypper - cosign-fish-completion - 3.0.6-1.1: normalized package name match | openSUSE Tumbleweed package metadata: cosign-fish-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/155b97171d05e27afd950b6fe0d55513ff38f4597110664535bceedc680bbe6fd459f0733718dcc21dcf0efc7c8250fd1390c73d4790b42e62fb2c16a87242e5-primary.xml.zst | Fish Completion for cosign | https://github.com/sigstore/cosign
- zypper - cosign-zsh-completion - 3.0.6-1.1: normalized package name match | openSUSE Tumbleweed package metadata: cosign-zsh-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/155b97171d05e27afd950b6fe0d55513ff38f4597110664535bceedc680bbe6fd459f0733718dcc21dcf0efc7c8250fd1390c73d4790b42e62fb2c16a87242e5-primary.xml.zst | Zsh Completion for cosign | https://github.com/sigstore/cosign
- MacPorts - cosign: normalized package name match | MacPorts ports tree: security/cosign/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Scoop - main/cosign: normalized package name match | Scoop official bucket manifest trees: bucket/cosign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
- winget - Sigstore.Cosign: normalized package name match | Windows Package Manager source index: Sigstore.Cosign from https://cdn.winget.microsoft.com/cache/source.msix


## Related Links

- [Source-control packages](https://www.automicvault.com/de/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/de/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/de/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/de/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/de/pkg/brew/go/) - Build dependency declared by Homebrew.
- [sigstore](https://www.automicvault.com/de/pkg/brew/sigstore/) - Shares av.db curated category or tags: cli, security, sigstore, software-supply-chain, supply-chain-security.
- [rekor-cli](https://www.automicvault.com/de/pkg/brew/rekor-cli/) - Shares av.db curated category or tags: cli, security, sigstore, software-supply-chain, supply-chain-security.
- [gitsign](https://www.automicvault.com/de/pkg/brew/gitsign/) - Shares av.db curated category or tags: cli, security, sigstore, software-supply-chain, supply-chain-security.
- [safety](https://www.automicvault.com/de/pkg/brew/safety/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [poutine](https://www.automicvault.com/de/pkg/brew/poutine/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [notation](https://www.automicvault.com/de/pkg/brew/notation/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [gittuf](https://www.automicvault.com/de/pkg/brew/gittuf/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [syft](https://www.automicvault.com/de/pkg/brew/syft/) - Shares av.db curated category or tags: cli, security, software-supply-chain.

## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph