Skip to content
Latchkey

How to Sign Build Artifacts With Cosign Keyless in GitHub Actions

Keyless cosign signs with a short-lived certificate from Fulcio bound to your workflow OIDC identity, so no signing key lives in the repo.

Install cosign, grant id-token: write, and run cosign sign-blob with -y. Sigstore issues an ephemeral cert and records the signature in the transparency log.

Steps

  • Install cosign with sigstore/cosign-installer.
  • Grant id-token: write so cosign can request the OIDC token.
  • Run cosign sign-blob -y and save the signature and certificate.

Workflow

.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
jobs:
  sign:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: sigstore/cosign-installer@v3
      - run: |
          cosign sign-blob -y \
            --output-signature app.sig \
            --output-certificate app.pem \
            ./dist/app.tar.gz

Gotchas

  • Keyless signing requires id-token: write; without it cosign cannot get an OIDC token.
  • Verifiers must pass --certificate-identity and --certificate-oidc-issuer to trust the right workflow.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →