macOS
brew install cosignlocal Homebrew formula metadata
sudo port install cosignMacPorts ports tree · security/cosign/Portfile · source: api.github.com
brew
Container Signing. Version 3.1.1 via Homebrew; verified 2026-06-09.
install
brew install cosignlocal Homebrew formula metadata
sudo port install cosignMacPorts ports tree · security/cosign/Portfile · source: api.github.com
sudo apk add cosignAlpine Linux edge package indexes · cosign · source: dl-cdn.alpinelinux.org
sudo apt install cosignDebian stable package indexes · cosign · source: deb.debian.org
nix profile install nixpkgs#cosignnixpkgs package indexes · pkgs/by-name/co/cosign/package.nix · source: api.github.com
sudo pacman -S cosignArch Linux sync databases · cosign · source: geo.mirror.pkgbuild.com
sudo zypper install cosignopenSUSE Tumbleweed package metadata · cosign · source: download.opensuse.org
scoop install main/cosignScoop official bucket manifest trees · bucket/cosign.json · source: api.github.com
winget install --id Sigstore.Cosign -eWindows Package Manager source index · Sigstore.Cosign · source: cdn.winget.microsoft.com
overview
Container Signing
history
cosign is Sigstore's command-line signing and verification tool for OCI containers, blobs, and other artifacts. It helped make software-supply-chain signing a normal packaging and CI concern by combining artifact signatures, OIDC identities, Fulcio certificates, Rekor transparency logging, and registry-native storage.
The sigstore/cosign repository was created in February 2021 and published early releases the following month. The README describes cosign as part of the Sigstore project and frames its goal as making signatures invisible infrastructure, which matches its role as the user-facing CLI for Sigstore signing workflows.
cosign spread through container and release pipelines because it supports keyless signing by default while still allowing hardware, KMS, generated key pairs, and bring-your-own PKI. Official installation docs and package metadata show it distributed through common developer package channels including Homebrew, Linux distributions, Nix, Scoop, and winget.
Common package-nerd usage is to sign images by digest, verify images against expected OIDC identity and issuer values, sign or verify blobs, and publish signatures or attestations alongside artifacts in OCI registries. The README also documents offline verification and generic artifact upload flows.
cosign matters to package ecosystems because it turns artifact authenticity into a reproducible command-line step. It is often used by maintainers and downstream packagers to verify upstream release assets, container images, SBOMs, and attestations without each project inventing a bespoke signing scheme.
security posture
infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
cosign | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/sigstore/cosign
install metadata
| Package key | brew:cosign |
|---|---|
| Version | 3.1.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/cosign |
| Homepage | https://github.com/sigstore/cosign |
| Repository | https://github.com/sigstore/cosign |
| Upstream docs | https://docs.sigstore.dev/cosign |
| License | Apache-2.0 |
| Source archive | https://github.com/sigstore/cosign.git |
| Last updated | 2026-06-09T18:09:12Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | cosign |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
cosign 2.5.0-2+b4
Code signing/transparency for containers and binaries (program)
https://github.com/sigstore/cosign
sudo apt install cosigngolang-github-sigstore-cosign-dev 2.5.0-2
Code signing/transparency for containers and binaries (library)
https://github.com/sigstore/cosign
sudo apt install golang-github-sigstore-cosign-devcosign
nix profile install nixpkgs#cosigncosign 3.0.6-r1
container signing tool with support for ephemeral keys and Sigstore signing
https://github.com/sigstore/cosign
sudo apk add cosigncosign-bash-completion 3.0.6-r1
Bash completions for cosign
https://github.com/sigstore/cosign
sudo apk add cosign-bash-completioncosign-fish-completion 3.0.6-r1
Fish completions for cosign
https://github.com/sigstore/cosign
sudo apk add cosign-fish-completioncosign-zsh-completion 3.0.6-r1
Zsh completions for cosign
https://github.com/sigstore/cosign
sudo apk add cosign-zsh-completioncosign 3.0.6-1
Container Signing with support for ephemeral keys and Sigstore signing
https://github.com/sigstore/cosign
sudo pacman -S cosigncosign 3.0.6-1.1
Container Signing, Verification and Storage in an OCI registry
https://github.com/sigstore/cosign
sudo zypper install cosigncosign-bash-completion 3.0.6-1.1
Bash Completion for cosign
https://github.com/sigstore/cosign
sudo zypper install cosign-bash-completioncosign-fish-completion 3.0.6-1.1
Fish Completion for cosign
https://github.com/sigstore/cosign
sudo zypper install cosign-fish-completioncosign-zsh-completion 3.0.6-1.1
Zsh Completion for cosign
https://github.com/sigstore/cosign
sudo zypper install cosign-zsh-completioncosign
sudo port install cosignmain/cosign
scoop install main/cosignSigstore.Cosign
winget install --id Sigstore.Cosign -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.