Tools/sigstore/cosign

cosign

Code signing and transparency for containers and binaries

6.1kemergingGoApache License 2.0

The Lens

Cosign signs and verifies container images and other artifacts, so you can prove that what you're deploying is what your pipeline actually built. It's part of Sigstore, a Linux Foundation project, and it makes signing painless with keyless signing tied to your CI's identity. Free and open source.

The killer feature is keyless: instead of managing signing keys, Cosign uses short-lived certificates tied to an OIDC identity, your GitHub Actions workflow for example, and logs signatures to a public transparency log. You run the binary in CI to sign on build and verify on deploy. Setup is minimal once your CI identity is wired in.

This is fully free with no paid tier. It's become the default for software supply chain signing, and it's what admission controllers like Kyverno and Gatekeeper check against to enforce that only signed images run. Any team shipping containers should be signing them, and this is how.

The catch: signing is the easy half. The value only lands when something verifies the signatures and blocks unsigned artifacts, and that means wiring verification into your deploy path or cluster admission. A signature nobody checks is just metadata.

Free vs Self-Hosted vs Paid

fully free

Self-hosted (free): Cosign under Apache-2.0, part of Sigstore (Linux Foundation). Signs and verifies container images and artifacts. Keyless signing uses short-lived certificates tied to an OIDC identity and a public transparency log, so there are no signing keys to manage.

Commercial: None. It's a foundation project with no paid tier.

The call: The default for container signing. Pairs with Kyverno or Gatekeeper to enforce that only signed images run.

Completely free and open source, part of the Linux Foundation's Sigstore project.

Self-hosting ops:moderate

Get tools like this every Wednesday

One featured tool, three on the radar. No fluff.

Score
61/100 · B
Adoption21/30
Maintenance10/25
Community5/20
License15/15
Analysis10/10

About

Owner
sigstore (Organization)
Stars
6,092
Forks
761

Explore Further

More tools in the directory