Versions:
Cosign by Sigstore is a security-oriented utility that cryptographically signs container images and compiled binaries, then submits the resulting signatures and metadata to a public, append-only transparency log. Operating within the DevSecOps toolchain, the program enables engineers to attach verifiable identity information to artifacts stored in registries such as Docker Hub, Google Container Registry, or an internal Harbor instance; later, runtime admission controllers, policy engines, or end-users can query the same log to confirm that the image they are about to deploy matches the publisher’s original bits and has not been tampered with. Typical use cases include signing release artifacts as part of a GitHub Actions workflow, enforcing “sign-before-deploy” rules in Kubernetes clusters through Cosign’s JSON-based attestations, and giving open-source projects a no-cost alternative to traditional X.509 certificate hierarchies. Because signatures are stored as regular OCI artifacts beside the images they reference, no extra infrastructure is required beyond access to the Sigstore public good transparency service. The application is currently offered at version 3.0.6, the newest milestone in a sequence that has already produced seventeen numbered releases, each incrementally adding support for additional key formats, improved OIDC integration, and stronger revocation semantics. Cosign falls under the Security & Privacy category of development utilities and is distributed as a single self-contained binary for Windows, Linux, and macOS. The software is available for free on get.nero.com, with downloads provided via trusted Windows package sources such as winget, always delivering the latest version, and supporting batch installation of multiple applications.
Tags: