Skip to content
Latchkey

How to Sign a Container Image with Cosign in GitHub Actions

Keyless cosign signs an image against your workflow identity, with no key to manage.

Install cosign, push the image, then run cosign sign with id-token: write. Sigstore records the signature with your OIDC identity.

Steps

  • Install cosign with sigstore/cosign-installer.
  • Grant id-token: write and packages: write permissions.
  • Sign the pushed image by digest with COSIGN_EXPERIMENTAL=1.

Workflow

.github/workflows/sign.yml
permissions:
  id-token: write
  packages: write
jobs:
  sign:
    runs-on: ubuntu-latest
    steps:
      - uses: sigstore/cosign-installer@v3
      - id: build
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: ghcr.io/${{ github.repository }}:latest
      - run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}

Gotchas

  • Sign by digest, not by tag; a tag can be repointed at a different image.
  • Verify with cosign verify and the expected workflow identity in your deploy gate.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →