25 April 2023

Signing Software Artifacts With Cosign

Learn about the importance of signing software artifacts using Cosign to help secure the software supply chain.

Mario Lunato
Mario Lunato Principal Cloud Infrastructure Architect LinkedIn

In today’s world we rely heavily on software applications to perform various tasks in our daily lives. These applications are built by a vast number of developers and companies, each contributing their own code and libraries.

However, this collaborative effort can also come with risk. While it enables us to create powerful software quickly, it also increases the likelihood of malicious actors inserting vulnerabilities or malware into the codebase. These security threats can lead to software supply chain attacks, which can have disastrous consequences for both individuals and organizations. To help mitigate such attacks, it is essential to securely sign software artifacts such as release files, container images, binaries, bill of material manifests, and more. In this blog post, I will explore the importance of signing software artifacts and how it can help protect against supply chain attacks.

The Importance of Signing Software Artifacts

In recent years, software supply chain attacks have become a growing concern for both consumers and software developers. Malicious actors often target the software development process itself, attempting to inject vulnerabilities or malware into the code before it is distributed to the end user. This can happen at any point in the development and distribution process, from open-source repositories to the final product release. As a result, it’s becoming increasingly important for developers to implement security measures that can prevent these types of attacks.

There have been several high-profile supply chain attacks that caused significant damage. One example is the SolarWinds attack, which was discovered in late 2020. Hackers were able to compromise SolarWinds’ software development process, injecting malicious code into their Orion software updates. This allowed them to gain access to a variety of high-profile targets, including multiple U.S. government agencies.

Another recent example is the Codecov attack in April 2021. In this case, attackers were able to compromise the software development pipeline of Codecov, a popular software auditing tool. This allowed them to gain access to sensitive data from thousands of companies that used the tool, potentially exposing them to further attacks. These attacks highlight the need for secure software development practices.

What Is Cosign?

Cosign is an open-source tool developed by the Sigstore project that provides a simple and secure way to sign software artifacts. By signing these artifacts, developers can help prevent software supply chain attacks and ensure the integrity and authenticity of their software. Cosign provides an easy-to-use command-line interface and integrates with popular container image registries, making it a powerful tool for any developer looking to secure their software supply chain.

One of the key features of Cosign is the ability to sign container images using keys that are stored in hardware security modules (HSMs) or cloud-based key management services, such as Amazon Web Services (AWS) Key Management Service (KMS) or Google Cloud KMS. This allows organizations to ensure that their private keys are stored securely and are not exposed to potential attackers.

With the increasing reliance on third-party components and cloud-based services, software supply chain security has become a critical concern for organizations of all sizes. Cosign aims to provide a simple and effective way to establish trust in software artifacts by providing a way to sign and verify their authenticity. By using Cosign to sign container images, developers can ensure that the images they distribute have not been tampered with or modified and that they can be trusted by the end users. Overall, Cosign is a powerful tool that can help organizations of all sizes improve their software supply chain security, and ensure that the software they build and distribute is trustworthy and secure.

The Benefits of Using Cosign

Using Cosign to secure your software supply chain offers several benefits, including:

Enhanced security: Cosign provides a tamper-proof record of your software artifact’s authenticity and integrity, making it more difficult for attackers to compromise them.

Improved trust: By using Cosign to sign and verify your artifacts, you can build greater trust with your customers and partners, who will have greater confidence in the security of the software you provide.

Simplified compliance: Cosign can help organizations meet the Secure Software Development Lifecycle (SSDL) requirements for compliance, particularly the Supply Chain Levels for Software Artifacts (SLSA) framework. SLSA is an industry-led framework that provides guidelines for ensuring the security and integrity of software supply chains. By using Cosign to sign software artifacts, organizations can establish a secure and verifiable chain of trust, which is a key component of the SLSA compliance framework. Cosign is an easy-to-use solution for implementing secure signing workflows that can satisfy compliance requirements.

Keyless Signing with Cosign

One of the critical features of Cosign is its ability to perform keyless signing, eliminating the need for a key pair to sign artifacts. Keyless signing is a significant improvement over traditional signing methods because it provides enhanced security and protection against key theft or compromise.

Traditionally, signing software artifacts requires the use of a private key, which must be securely stored and managed to prevent unauthorized access. However, this can be a challenging task for organizations, particularly when managing large numbers of container images or distributing software across multiple environments.

Keyless signing simplifies the signing process by removing the need to manage and protect private keys. Instead, Cosign uses ephemeral keys and certificates, which are automatically signed by the Fulcio certificate authority. The Rekor transparency log stores signatures and provides a tamper-resistant ledger of all signed artifacts. This approach provides a secure and transparent way to sign container images without the need for a private key.

Using keyless signing with Cosign simplifies the signing process and enhances security by eliminating the risk of key theft or compromise. Using a publicly-trusted certificate authority like Fulcio builds additional trust and confidence in the authenticity and integrity of signed container images. Overall, keyless signing is a powerful feature that can help organizations improve the security and reliability of their software supply chain.


The importance of software supply chain security cannot be overstated. With the increase in cyber attacks and data breaches, it is essential to take proactive measures to protect our software systems. One such measure is the use of digital signatures to verify the integrity and authenticity of software artifacts.

This is where Cosign from Sigstore comes in. Cosign uses cryptographic keys to create digital signatures that can be verified by anyone, anywhere, and at any time. With Cosign, you can be sure that the software you are using is genuine and has not been tampered with.

Cosign’s keyless signing makes it so that you can sign software artifacts without the need for a private key, making it more secure and convenient. Cosign provides a transparent and secure way to sign software artifacts, and it can be easily integrated into your software development workflow.

Interested in learning more? Check out my experience demoing Cosign, where I explore how to use Cosign to sign container images using a locally generated key pair and a key pair from AWS KMS.

If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.


Security Supply Chain Risk