Skip to main content

Signing images

You can sign images and verify signatures with cosign.

To install cosign on a Mac or Linux system:

brew install cosign


Since cosign uses docker under the hood, you have to sign in to the registry using docker. Use your GitHub personal access token (PAT) as your password.

$ docker login -u <GitHub-account> opcr.ioPassword:Login Succeeded

Initialize cosign#

Initialize cosign and create a key pair:

$ cosign initialize$ cosign generate-key-paircosign generate-key-pairEnter password for private key: Enter again:Private key written to cosign.keyPublic key written to

Signing an image#


You can only sign images that have been pushed to an OCI-compliant registry. If you haven't yet, issue a policy push on your policy image before signing it.

Sign the container image using the private key:

$ cosign sign -key cosign.key password for private key: Pushing signature to:

Verifying the signature#

Verify the signature using the public key:

$ cosign verify -key
Verification for --The following checks were performed on each of these signatures:  - The cosign claims were validated  - The signatures were verified against the specified public key  - Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:05e6ed84d86f6a252e24f33cb12138d9193780f1d89a1b2ff14ced315fdf8481"},"type":"cosign container image signature"},"optional":null}]