Skip to content
cosign
Artifact Management
A tool for signing and verifying OCI container images and other artifacts using Sigstore's keyless signing infrastructure
Go
·
Latest v3.0.6 · 1mo ago
Security brief →
Features
-
Keyless signing with Fulcio CA and Rekor transparency log
-
Supports hardware, KMS, and self‑generated key pairs
-
Sign, verify, and store signatures in OCI registries
-
Bring‑your‑own PKI integration
v3.0.6
Mixed
·
Security fixes
- Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6)
Notable features
- Add support for GCE metadata server env var
- support managed keys in conformance testing
- support key creation in GitLab group
v2.6.3
Security relevant
·
Security fixes
- Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6)
v3.0.5
Mixed
·
Security fixes
- Low-severity advisory for private PKIs (GHSA-wfqv-66vq-46rm)
Notable features
- Automatically require signed timestamp with Rekor v2 entries
- Allow --local-image with --new-bundle-format for v2 and v3 signatures
- Add mTLS support for TSA client connections
v3.0.4
Security relevant
·
Security fixes
- Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m)
Notable features
- Optimize cosign tree performance by caching digest resolution
- Don't require a trusted root to verify offline with a key
- Support default services for trusted-root and signing-config creation
v2.6.2
Security relevant
·
Security fixes
- Fix bundle verify path for old bundle/trusted root (GHSA-whqx-f9j3-ch6m)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
About
Languages
Go
·
Shell
·
Makefile
Search tools, categories, lists, and users
Use ↑↓ to navigate, Enter to open, Esc to close
No results for ""
⌘K to open
↑↓ navigate
⏎ open
