How to Sign Build Artifacts With Cosign Keyless in GitHub Actions
Keyless cosign signs with a short-lived certificate from Fulcio bound to your workflow OIDC identity, so no signing key lives in the repo.
Install cosign, grant id-token: write, and run cosign sign-blob with -y. Sigstore issues an ephemeral cert and records the signature in the transparency log.
Steps
- Install cosign with
sigstore/cosign-installer. - Grant
id-token: writeso cosign can request the OIDC token. - Run
cosign sign-blob -yand save the signature and certificate.
Workflow
.github/workflows/ci.yml
permissions:
id-token: write
contents: read
jobs:
sign:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: sigstore/cosign-installer@v3
- run: |
cosign sign-blob -y \
--output-signature app.sig \
--output-certificate app.pem \
./dist/app.tar.gzGotchas
- Keyless signing requires
id-token: write; without it cosign cannot get an OIDC token. - Verifiers must pass
--certificate-identityand--certificate-oidc-issuerto trust the right workflow.
Related guides
How to Generate SLSA Build Provenance in GitHub ActionsProduce signed SLSA build provenance for a release artifact in GitHub Actions with actions/attest-build-prove…
How to Verify a Provenance Attestation Before Deploy in GitHub ActionsVerify a SLSA provenance attestation in GitHub Actions with gh attestation verify before deploying, confirmin…