Automic VaultAutomic Vault

brew

Install cosign with Homebrew, apk, apt, MacPorts, Nix, pacman, scoop, winget, zypper

Container Signing. Version 3.1.1 via Homebrew; verified 2026-06-09.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install cosign

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install cosign

MacPorts ports tree · security/cosign/Portfile · source: api.github.com

Linux

Alpine Linux apkverified · 92%
sudo apk add cosign

Alpine Linux edge package indexes · cosign · source: dl-cdn.alpinelinux.org

Debian aptverified · 92%
sudo apt install cosign

Debian stable package indexes · cosign · source: deb.debian.org

Nixverified · 92%
nix profile install nixpkgs#cosign

nixpkgs package indexes · pkgs/by-name/co/cosign/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S cosign

Arch Linux sync databases · cosign · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install cosign

openSUSE Tumbleweed package metadata · cosign · source: download.opensuse.org

Windows

Scoopverified · 92%
scoop install main/cosign

Scoop official bucket manifest trees · bucket/cosign.json · source: api.github.com

Windows Package Managerverified · 92%
winget install --id Sigstore.Cosign -e

Windows Package Manager source index · Sigstore.Cosign · source: cdn.winget.microsoft.com

overview

Package summary

Container Signing

Commands and aliases

  • cosign

history

Project history and usage

cosign is Sigstore's command-line signing and verification tool for OCI containers, blobs, and other artifacts. It helped make software-supply-chain signing a normal packaging and CI concern by combining artifact signatures, OIDC identities, Fulcio certificates, Rekor transparency logging, and registry-native storage.

Project history

The sigstore/cosign repository was created in February 2021 and published early releases the following month. The README describes cosign as part of the Sigstore project and frames its goal as making signatures invisible infrastructure, which matches its role as the user-facing CLI for Sigstore signing workflows.

Adoption history

cosign spread through container and release pipelines because it supports keyless signing by default while still allowing hardware, KMS, generated key pairs, and bring-your-own PKI. Official installation docs and package metadata show it distributed through common developer package channels including Homebrew, Linux distributions, Nix, Scoop, and winget.

How it is used

Common package-nerd usage is to sign images by digest, verify images against expected OIDC identity and issuer values, sign or verify blobs, and publish signatures or attestations alongside artifacts in OCI registries. The README also documents offline verification and generic artifact upload flows.

Why package nerds care

cosign matters to package ecosystems because it turns artifact authenticity into a reproducible command-line step. It is often used by maintainers and downstream packagers to verify upstream release assets, container images, SBOMs, and attestations without each project inventing a bespoke signing scheme.

Timeline

  • 2021: sigstore/cosign repository created and first GitHub releases published.
  • 2023: Public GCS release bucket deprecation notice moved users toward GitHub release assets.
  • 2026: The repository remained active with v2-series maintenance and ongoing work toward future Sigstore Go based development.

Related projects

  • Sigstore, Fulcio, Rekor, sigstore-go, OCI registries, in-toto attestations.

security posture

Risk level: orange

infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • infrastructure mutation or orchestration signal

Signals

  • text:container

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
cosigncliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version3.1.1
manager updated2026-06-09
local dataok
upstreamnot checked
latest detectednot detected

https://github.com/sigstore/cosign

install metadata

Package metadata

Package keybrew:cosign
Version3.1.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/cosign
Homepagehttps://github.com/sigstore/cosign
Repositoryhttps://github.com/sigstore/cosign
Upstream docshttps://docs.sigstore.dev/cosign
LicenseApache-2.0
Source archivehttps://github.com/sigstore/cosign.git
Last updated2026-06-09T18:09:12Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecosign
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

cosign 2.5.0-2+b4

Code signing/transparency for containers and binaries (program)

https://github.com/sigstore/cosign

sudo apt install cosign
  • Section: golang
  • Architecture: amd64
  • Source Package: cosign
  • 1 dependencies
  • normalized package name match
  • Matched by: Cosign
Debian stable package indexes · deb.debian.org · Debian stable package indexes: cosign from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Debian apt95%

golang-github-sigstore-cosign-dev 2.5.0-2

Code signing/transparency for containers and binaries (library)

https://github.com/sigstore/cosign

sudo apt install golang-github-sigstore-cosign-dev
  • Section: golang
  • Architecture: all
  • Source Package: cosign
  • 32 dependencies
  • normalized package name match
  • Matched by: Cosign
Debian stable package indexes · deb.debian.org · Debian stable package indexes: golang-github-sigstore-cosign-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

cosign

nix profile install nixpkgs#cosign
  • normalized package name match
  • Matched by: Cosign
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/co/cosign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

cosign 3.0.6-r1

container signing tool with support for ephemeral keys and Sigstore signing

https://github.com/sigstore/cosign

sudo apk add cosign
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: cosign
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cosign
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cosign from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

cosign-bash-completion 3.0.6-r1

Bash completions for cosign

https://github.com/sigstore/cosign

sudo apk add cosign-bash-completion
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: cosign
  • normalized package name match
  • Matched by: Cosign
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cosign-bash-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

cosign-fish-completion 3.0.6-r1

Fish completions for cosign

https://github.com/sigstore/cosign

sudo apk add cosign-fish-completion
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: cosign
  • normalized package name match
  • Matched by: Cosign
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cosign-fish-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

cosign-zsh-completion 3.0.6-r1

Zsh completions for cosign

https://github.com/sigstore/cosign

sudo apk add cosign-zsh-completion
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: cosign
  • normalized package name match
  • Matched by: Cosign
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cosign-zsh-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
pacman95%

cosign 3.0.6-1

Container Signing with support for ephemeral keys and Sigstore signing

https://github.com/sigstore/cosign

sudo pacman -S cosign
  • License: Apache-2.0
  • Architecture: x86_64
  • 1 dependencies
  • normalized package name match
  • Matched by: Cosign
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: cosign from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

cosign 3.0.6-1.1

Container Signing, Verification and Storage in an OCI registry

https://github.com/sigstore/cosign

sudo zypper install cosign
  • License: Apache-2.0
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: cosign
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cosign
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: cosign from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

cosign-bash-completion 3.0.6-1.1

Bash Completion for cosign

https://github.com/sigstore/cosign

sudo zypper install cosign-bash-completion
  • License: Apache-2.0
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: cosign
  • 2 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cosign
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: cosign-bash-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

cosign-fish-completion 3.0.6-1.1

Fish Completion for cosign

https://github.com/sigstore/cosign

sudo zypper install cosign-fish-completion
  • License: Apache-2.0
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: cosign
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cosign
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: cosign-fish-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

cosign-zsh-completion 3.0.6-1.1

Zsh Completion for cosign

https://github.com/sigstore/cosign

sudo zypper install cosign-zsh-completion
  • License: Apache-2.0
  • Category: System/Shells
  • Architecture: noarch
  • Source Package: cosign
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cosign
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: cosign-zsh-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

cosign

sudo port install cosign
  • normalized package name match
  • Matched by: Cosign
MacPorts ports tree · api.github.com · MacPorts ports tree: security/cosign/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Scoop95%

main/cosign

scoop install main/cosign
  • normalized package name match
  • Matched by: Cosign
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/cosign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

Sigstore.Cosign

winget install --id Sigstore.Cosign -e
  • normalized package name match
  • Matched by: Cosign
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: Sigstore.Cosign from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment