
cosign
Code signing and transparency for containers and binaries
The Lens
Cosign signs and verifies container images and other artifacts, so you can prove that what you're deploying is what your pipeline actually built. It's part of Sigstore, a Linux Foundation project, and it makes signing painless with keyless signing tied to your CI's identity. Free and open source.
The killer feature is keyless: instead of managing signing keys, Cosign uses short-lived certificates tied to an OIDC identity, your GitHub Actions workflow for example, and logs signatures to a public transparency log. You run the binary in CI to sign on build and verify on deploy. Setup is minimal once your CI identity is wired in.
This is fully free with no paid tier. It's become the default for software supply chain signing, and it's what admission controllers like Kyverno and Gatekeeper check against to enforce that only signed images run. Any team shipping containers should be signing them, and this is how.
The catch: signing is the easy half. The value only lands when something verifies the signatures and blocks unsigned artifacts, and that means wiring verification into your deploy path or cluster admission. A signature nobody checks is just metadata.
Free vs Self-Hosted vs Paid
fully freeSelf-hosted (free): Cosign under Apache-2.0, part of Sigstore (Linux Foundation). Signs and verifies container images and artifacts. Keyless signing uses short-lived certificates tied to an OIDC identity and a public transparency log, so there are no signing keys to manage.
Commercial: None. It's a foundation project with no paid tier.
The call: The default for container signing. Pairs with Kyverno or Gatekeeper to enforce that only signed images run.
Completely free and open source, part of the Linux Foundation's Sigstore project.
Get tools like this every Wednesday
One featured tool, three on the radar. No fluff.
About
- Owner
- sigstore (Organization)
- Stars
- 6,092
- Forks
- 761
Explore Further
More tools in the directory
openclaw
Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
381.5k ★everything-claude-code
The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
225.3k ★hermes-agent
The agent that grows with you
208.2k ★