# Install cosign with Homebrew, apk, apt, MacPorts, Nix, pacman, scoop, winget, zypper

Container Signing. Version 3.1.1 via Homebrew; verified 2026-06-09.

## Install

```sh
sudo av install brew:cosign
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install cosign
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install cosign
```

  Evidence: MacPorts ports tree: security/cosign/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add cosign
```

  Evidence: Alpine Linux edge package indexes: cosign from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install cosign
```

  Evidence: Debian stable package indexes: cosign from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- Nix (92%):

```sh
nix profile install nixpkgs#cosign
```

  Evidence: nixpkgs package indexes: pkgs/by-name/co/cosign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S cosign
```

  Evidence: Arch Linux sync databases: cosign from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install cosign
```

  Evidence: openSUSE Tumbleweed package metadata: cosign from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Scoop (92%):

```sh
scoop install main/cosign
```

  Evidence: Scoop official bucket manifest trees: bucket/cosign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id Sigstore.Cosign -e
```

  Evidence: Windows Package Manager source index: Sigstore.Cosign from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:cosign
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/cosign>
- **Version:** 3.1.1
- **Source summary:** Container Signing
- **Homepage:** <https://github.com/sigstore/cosign>
- **Repository:** <https://github.com/sigstore/cosign>
- **Upstream docs:** <https://docs.sigstore.dev/cosign>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/sigstore/cosign.git>
- **Last updated:** 2026-06-09T18:09:12Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- cosign (cli)
- cosign (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 3.1.1
- Package-manager updated: 2026-06-09
- Local data: ok
- Upstream repository: https://github.com/sigstore/cosign
- info: No cached GitHub release or tag data was available.
## Project history and usage

cosign is Sigstore's command-line signing and verification tool for OCI containers, blobs, and other artifacts. It helped make software-supply-chain signing a normal packaging and CI concern by combining artifact signatures, OIDC identities, Fulcio certificates, Rekor transparency logging, and registry-native storage.

### Project history

The sigstore/cosign repository was created in February 2021 and published early releases the following month. The README describes cosign as part of the Sigstore project and frames its goal as making signatures invisible infrastructure, which matches its role as the user-facing CLI for Sigstore signing workflows.

### Adoption history

cosign spread through container and release pipelines because it supports keyless signing by default while still allowing hardware, KMS, generated key pairs, and bring-your-own PKI. Official installation docs and package metadata show it distributed through common developer package channels including Homebrew, Linux distributions, Nix, Scoop, and winget.

### How it is used

Common package-nerd usage is to sign images by digest, verify images against expected OIDC identity and issuer values, sign or verify blobs, and publish signatures or attestations alongside artifacts in OCI registries. The README also documents offline verification and generic artifact upload flows.

### Why package nerds care

cosign matters to package ecosystems because it turns artifact authenticity into a reproducible command-line step. It is often used by maintainers and downstream packagers to verify upstream release assets, container images, SBOMs, and attestations without each project inventing a bespoke signing scheme.

### Timeline

- 2021: sigstore/cosign repository created and first GitHub releases published.
- 2023: Public GCS release bucket deprecation notice moved users toward GitHub release assets.
- 2026: The repository remained active with v2-series maintenance and ongoing work toward future Sigstore Go based development.

### Related projects

- Sigstore, Fulcio, Rekor, sigstore-go, OCI registries, in-toto attestations.

### Sources

- <https://github.com/sigstore/cosign>
- <https://docs.sigstore.dev/cosign/>
- <https://api.github.com/repos/sigstore/cosign>
- <https://api.github.com/repos/sigstore/cosign/releases?per_page=100>


## Security Notes

infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- infrastructure mutation or orchestration signal

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** cosign
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - cosign - 2.5.0-2+b4: normalized package name match | Debian stable package indexes: cosign from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Code signing/transparency for containers and binaries (program) | https://github.com/sigstore/cosign
- Debian apt - golang-github-sigstore-cosign-dev - 2.5.0-2: normalized package name match | Debian stable package indexes: golang-github-sigstore-cosign-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Code signing/transparency for containers and binaries (library) | https://github.com/sigstore/cosign
- Nix - cosign: normalized package name match | nixpkgs package indexes: pkgs/by-name/co/cosign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - cosign - 3.0.6-r1: normalized package name match | Alpine Linux edge package indexes: cosign from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | container signing tool with support for ephemeral keys and Sigstore signing | https://github.com/sigstore/cosign
- apk - cosign-bash-completion - 3.0.6-r1: normalized package name match | Alpine Linux edge package indexes: cosign-bash-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Bash completions for cosign | https://github.com/sigstore/cosign
- apk - cosign-fish-completion - 3.0.6-r1: normalized package name match | Alpine Linux edge package indexes: cosign-fish-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Fish completions for cosign | https://github.com/sigstore/cosign
- apk - cosign-zsh-completion - 3.0.6-r1: normalized package name match | Alpine Linux edge package indexes: cosign-zsh-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Zsh completions for cosign | https://github.com/sigstore/cosign
- pacman - cosign - 3.0.6-1: normalized package name match | Arch Linux sync databases: cosign from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Container Signing with support for ephemeral keys and Sigstore signing | https://github.com/sigstore/cosign
- zypper - cosign - 3.0.6-1.1: normalized package name match | openSUSE Tumbleweed package metadata: cosign from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Container Signing, Verification and Storage in an OCI registry | https://github.com/sigstore/cosign
- zypper - cosign-bash-completion - 3.0.6-1.1: normalized package name match | openSUSE Tumbleweed package metadata: cosign-bash-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Bash Completion for cosign | https://github.com/sigstore/cosign
- zypper - cosign-fish-completion - 3.0.6-1.1: normalized package name match | openSUSE Tumbleweed package metadata: cosign-fish-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Fish Completion for cosign | https://github.com/sigstore/cosign
- zypper - cosign-zsh-completion - 3.0.6-1.1: normalized package name match | openSUSE Tumbleweed package metadata: cosign-zsh-completion from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Zsh Completion for cosign | https://github.com/sigstore/cosign
- MacPorts - cosign: normalized package name match | MacPorts ports tree: security/cosign/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Scoop - main/cosign: normalized package name match | Scoop official bucket manifest trees: bucket/cosign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
- winget - Sigstore.Cosign: normalized package name match | Windows Package Manager source index: Sigstore.Cosign from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [gitsign](https://www.automicvault.com/pkg/brew/gitsign/) - Shares av.db curated category or tags: cli, security, sigstore, software-supply-chain, supply-chain-security.
- [rekor-cli](https://www.automicvault.com/pkg/brew/rekor-cli/) - Shares av.db curated category or tags: cli, security, sigstore, software-supply-chain, supply-chain-security.
- [sigstore](https://www.automicvault.com/pkg/brew/sigstore/) - Shares av.db curated category or tags: cli, security, sigstore, software-supply-chain, supply-chain-security.
- [gittuf](https://www.automicvault.com/pkg/brew/gittuf/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [notation](https://www.automicvault.com/pkg/brew/notation/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [poutine](https://www.automicvault.com/pkg/brew/poutine/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [safety](https://www.automicvault.com/pkg/brew/safety/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [bom](https://www.automicvault.com/pkg/brew/bom/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [syft](https://www.automicvault.com/pkg/brew/syft/) - Security-sensitive metadata or terminology overlaps. Shared terms: chain, cli, container, security, software-supply-chain.

## Combined YAML source

View the package source record on GitHub. [combined/cosign.yml](https://github.com/automic-vault/db/blob/main/combined/cosign.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
