Skip to content
Latchkey

sigstore/cosign-installer: Install Cosign to Sign Images

cosign-installer puts the Cosign CLI on the runner so you can sign and verify images.

After installing Cosign, sign images keylessly using the workflow OIDC identity (no key management). Consumers verify signatures against the Sigstore transparency log.

Key inputs (with:)

  • cosign-release: pin a Cosign version to install.
  • install-dir: where to place the binary.

Example workflow

.github/workflows/ci.yml
jobs:
  sign:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      packages: write
    steps:
      - uses: sigstore/cosign-installer@v3
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - run: cosign sign --yes ghcr.io/${{ github.repository }}:latest

On any runner

This action runs on any runner. Latchkey managed runners run it unchanged.

Key takeaways

  • Keyless signing uses the workflow OIDC identity (id-token: write).
  • Install Cosign, then sign after pushing the image.
  • Pairs naturally with build provenance attestations.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →