An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course.
Cosign supports software artifact signing, verification, and storage in an OCI (Open Container Initiative) registry. By signing software artifacts, you can authenticate that you are who you say you are, which can in turn enable a trust root so that developers who leverage your software and consumers who use your software can verify that you created the software artifact that you have said you’ve created. They can also ensure that that artifact was not tampered with by a third party. As someone who may use software libraries, containers, or other artifacts as part of your development lifecycle, a signed artifact can give you greater assurance that the code or container you are incorporating is from a trusted source.
There are a few different ways to install Cosign to your local machine or remote server. The approach you choose should be based on the way you set up packages, the tooling that you use, or the way that your organization recommends. We will go through several options. Please refer to the official Cosign installation documentation for additional context and updates.
Those who are running macOS locally may be familiar with Homebrew as a package manager. There is also a Linuxbrew version for those running a Linux distribution. If you are using macOS and would like to leverage a package manager, you can review the official documentation to install Homebrew to your machine.
To install Cosign with Homebrew, run the following command.
brew install cosign
To update Cosign in the future, you can run brew upgrade cosign to get the newest version.
brew upgrade cosign
Cosign is supported by the Arch Linux, Alpine Linux, and Nix package managers. On the releases page, you’ll also find .deb and .rpm packages for manual download and installation.
To install Cosign on Arch Linux, use the pacman package manager.
pacman -S cosign
If you are using Alpine Linux or an Alpine Linux image, you can add Cosign with apk.
apk add cosign
For NixOS, you can install Cosign with the following command:
nix-env -iA nixpkgs.cosign
And for NixOS Linux, you can install Cosign using nixos.cosign with the nix-env package manager.
nix-env -iA nixos.cosign
For Ubuntu and Debian distributions, check the releases page and download the latest .deb package. At the time of this writing, this would be version 1.8.0. To install the .deb file, run:
sudo dpkg -i ~/Downloads/cosign_1.8.0_amd64.deb
For CentOS and Fedora, download the latest .rpm package from the releases page and install Cosign with:
rpm -ivh cosign-1.8.0.x86_64.rpm
You can check to ensure that Cosign is successfully installed using the cosign version command following installation. When you run the command, you should receive output that indicates the version you have installed.
You may choose to install Cosign with Go if you already are working in the programming language Go. Additionally, installing with Go will work across different distributions. First, check that you have Go installed on your machine, and ensure that it is Go version 1.16 or later.
As long as your output indicates that you are at Go 1.16 or above, you’ll be ready to install Cosign with Go. Your output should appear similar to the following.
go version go1.17.6 darwin/arm64
If you run into an error or don’t receive output like the above, you’ll need to install Go in order to install Cosign with Go. Navigate to the official Go website in order to download the appropriate version of Go for your machine.
With Go 1.16 or above installed, you are ready to install Cosign with Go, using the following command.
go install github.com/sigstore/cosign/cmd/cosign@latest
The resulting binary from this installation will be placed at $GOPATH/bin/cosign.
You can install Cosign with Go directly from the Cosign GitHub releases page.
At the time of writing, the newest release is v2.0.0. You can download this version with the following command.
go install firstname.lastname@example.org
The resulting binary from this installation will be placed at $GOPATH/bin/cosign. Check the [release page](Cosign GitHub releases page for additional releases.
Installing Cosign via its binary offers you greater control over your installation, but this method also requires you to manage your installation yourself. In order to install via binary, check for the most updated version in the open source GitHub repository for Cosign under the releases page.
You can use the wget command to install the most recent binary. In our example, the release we are installing is 2.0.0.
Next, move the Cosign binary to your bin folder.
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
Finally, update permissions so that Cosign can execute within your filesystem.
sudo chmod +x /usr/local/bin/cosign
You’ll need to ensure that you keep Cosign up to date if you install via binary. You can always later opt to use a package manager to update Cosign in the future.