Skip to main content
In this tutorial, you’ll install Sigstore’s Cosign binary, verify your setup, generate a key pair for signing OCI artifacts, and configure Flux CD to use the Cosign public key. By following these steps, you’ll enable secure supply chain workflows for container images.

Verify Cosign Is Not Installed

First, confirm Cosign isn’t already available: 
root@host:~# cosign version
bash: cosign: command not found
Seeing command not found means Cosign isn’t installed. Continue to the installation methods below.

Installation Options

Cosign is part of the Sigstore project. Choose the method that best fits your environment:
MethodUse CaseExample Command
Standalone BinaryQuick install on LinuxDownload, move to PATH, set executable
RPM PackageRPM-based Linux distrossudo rpm -Uvh cosign-*.rpm
DEB PackageDebian/Ubuntu systemssudo dpkg -i cosign_*.deb

1. Standalone Binary

# Download the Cosign binary
wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign-linux-amd64"

# Move into your PATH and make executable
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign

2. RPM Package

wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign-2.0.0.x86_64.rpm"
sudo rpm -Uvh cosign-2.0.0.x86_64.rpm

3. DEB Package

wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign_2.0.0_amd64.deb"
sudo dpkg -i cosign_2.0.0_amd64.deb

Verify Installation

After installation, check your Cosign version: 
root@host:~# cosign version
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion:    v2.0.0
GitCommit:     d6b9001f8e6ed745fb845849d623274c897d55f2
BuildDate:     2023-02-23T19:26:35Z
GoVersion:     go1.20.1
Compiler:      gc
Platform:      linux/amd64
Ensure you install v2.0.0 or later for full compatibility with Flux CD’s image verification features.

Generate a Cosign Key Pair

Create an asymmetric key pair to sign your OCI artifacts: 
root@host:~# cosign generate-key-pair
Enter password for private key:
Enter password for private key again:
Private key written to cosign.key
Public key written to cosign.pub
Verify the files: 
root@host:~# ls cosign.*
cosign.key  cosign.pub
Keep your private key (cosign.key) secure and never commit it to version control. Remember your password—it’s required for signing and verification.

Configure Flux CD with the Public Key

To enable Flux CD to verify image signatures, store the public key as a Kubernetes Secret in the flux-system namespace: 
root@host:~# kubectl -n flux-system create secret generic cosign-pub \
  --from-file=cosign.pub=cosign.pub
secret/cosign-pub created
Flux will automatically fetch this key and validate any signed OCI artifacts during reconciliation.

Next Steps

  1. Build and push an OCI artifact (e.g., container image).
  2. Sign the image using Cosign.
  3. Observe Flux CD verifying the signature in your cluster.

References

Watch Video