sigstore/cosign-installer: Install Cosign to Sign Images
cosign-installer puts the Cosign CLI on the runner so you can sign and verify images.
After installing Cosign, sign images keylessly using the workflow OIDC identity (no key management). Consumers verify signatures against the Sigstore transparency log.
Key inputs (with:)
- cosign-release: pin a Cosign version to install.
- install-dir: where to place the binary.
Example workflow
.github/workflows/ci.yml
jobs:
sign:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
steps:
- uses: sigstore/cosign-installer@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- run: cosign sign --yes ghcr.io/${{ github.repository }}:latestOn any runner
This action runs on any runner. Latchkey managed runners run it unchanged.
Key takeaways
- Keyless signing uses the workflow OIDC identity (id-token: write).
- Install Cosign, then sign after pushing the image.
- Pairs naturally with build provenance attestations.
Related guides
actions/attest-build-provenance: Sign Build ProvenanceReference for actions/attest-build-provenance: generate signed SLSA build provenance attestations for your ar…
docker/build-push-action: Build & Push Images in CIReference for docker/build-push-action: build a Docker image with BuildKit and push it to a registry, with ta…
docker/login-action: Authenticate to a RegistryReference for docker/login-action: log in to Docker Hub, GHCR, ECR, or any registry before pushing images, wi…