Skip to main content

Docker Images

Sign Docker images with cosign

Sign your Docker images after they're pushed.

Config

docker_signs:
  - artifacts: all
    cmd: cosign
    args: ["sign", "--key=cosign.key", "${artifact}"]

Docker sign config fields

FieldTypeDefaultDescription
idstringUnique identifier for this docker sign config (referenced by ids filters elsewhere).
artifactsstring""Which Docker artifacts to sign: all, images, manifests, none, or "" (empty — the default — signs the canonical Docker images). The singular image / manifest are not accepted and hard-error at release time.
cmdstringcosignSigning command to invoke.
argslistArguments passed to the signing command. Templates supported.
signaturestringautoSignature output filename template. Templates supported.
certificatestringCertificate file to embed in the signature (Cosign bundle signing).
idslistallOnly sign images from docker configs whose id is in this list.
stdinstringLiteral content written to the signing command's stdin (e.g. a passphrase).
stdin_filestringPath to a file whose content is written to the signing command's stdin.
envlistEnvironment variables passed to the signing command (KEY=VALUE strings).
outputboolfalseCapture and log the signing command's stdout/stderr.
ifstringTemplate-conditional: skip this config when the rendered result is false or empty.