cosign

sigstore·Sigstore.Cosign

Code signing and transparency for containers and binaries

winget install --id Sigstore.Cosign --exact --source winget

Latest 3.1.1·June 9, 2026

Release Notes

What's Changed Note: v3.1.0 was skipped due to a bug in our release pipeline. v3.1.1 is identical to v3.1.0 This release deprecates a number of flags related to verification material input for trust root material, as well as the bundle format, standardized across Sigstore SDKs, which is now the default output and input for signing and verifying respectively. You may continue to use the deprecated flags with Cosign v3.x releases. The deprecated flags will be removed in a future Cosign v4 release. This release also updates the signing path for logging to Rekor v2. DSSE attestations will be logged as hashed entries, using the DSSE's pre-auth encoding (PAE). This should unblock developers who want to upload large signed DSSEs such as SBOMs.

  • Initialize PKCS11 slots Before Getting Token Info in #4803
  • Sign exclusively via sigstore-go in #4618
  • bundle create: Prevent IgnoreTlog when bundle contains SET in #4829
  • Require bundle output or registry upload in #4785
  • fix(load): pass NameOptions to name.ParseReference in #4786
  • fix: honor --digestAlg when hashing a blob in verify-blob-attestation in #4813
  • Deprecate Flags for v4: Certificates in #4822
  • Deprecate flags signing config in #4844
  • Deprecate flags bundle in #4838
  • Fix typo in map of verify command fields unsupported for new bundle format in #4853
  • Add bundle upgrade command in #4820
  • Deprecate Flags for v4 in #4854
  • fix: close file descriptor leaked in WriteSignedImageIndexImages loop in #4869
  • fix: use Header.Set to prevent duplicate Authorization on retry in #4870
  • feat(cli): add Rekor v2 flag to cosign signing-config create in #4868
  • Fix crash verifying timestamps when no timestamp was verified in #4881
  • Deprecate Flags for v4: OCI Referrers in #4804
  • Use the configured Target Repository more consistently in #4836
  • fix: check HTTP status code in LoadFileOrURL in #4877
  • Fix unsafe type assertion in Rego policy evaluation by in #4882
  • Fix Ed25519ph check to respect custom signing configs in sign-blob in #4880
  • Enable initialize command output in conformance in #4892
  • verify: return TUF errors for new bundle trusted roots in #4878
  • Deprecate subcommands in #4894
  • Remove docstring references to deprecated flags in #4910
  • fix(verify): Attach detached certificates to static signatures via wrapped verifier in #4737
  • fix(verify): copy CheckOpts inside VerifyNewBundle to fix data race in #4917
  • Update sigstore-go to v1.2.0 in #4914 Full Changelog: v3.0.6...v3.1.1

Installer type: portable

ArchitectureScopeDownloadSHA256
x64Download9D2C026E667BFD979FA7BA1CAB8C4B24D2E73F336EC2D57F7FC72C7E73E5B4B6

Details

Homepage
https://github.com/sigstore/cosign
License
Apache-2.0
Publisher
sigstore
Support
https://github.com/sigstore/cosign/issues
Moniker
cosign

Older versions (17)

3.0.6
ArchitectureScopeDownloadSHA256
x64Download9B85A88EBFF2D9DD30FF4984A6F61F2CEDC232DD87D81FA7F2FF3C0ED96C241C
3.0.5
ArchitectureScopeDownloadSHA256
x64Download44E9E44202B67DDFAAF5EA1234F5A265417960C4AE98C5B57C35BC40BA9DD714
3.0.4
ArchitectureScopeDownloadSHA256
x64DownloadA3A0DC4E8C745F9BD855EC18DB346538B78AB2C4D6D510AE4186BB4A03F35438
3.0.3
ArchitectureScopeDownloadSHA256
x64Download2593655025B52B5B1C99E43464459B645A3ACBE5D4A5A9F3A766E77BEEC5A441
3.0.2
ArchitectureScopeDownloadSHA256
x64Download7A137280D8686665CEB4D8565DF2A0AC63F28031E014CDCAE5D56891A6C8A400
3.0.1
ArchitectureScopeDownloadSHA256
x64Download21843DBB2E910097531CA23E9F87D0CA2AE9A412E056009EAE670B090418E8ED
2.6.1
ArchitectureScopeDownloadSHA256
x64Download049026DAE3246D6EA8201512EC3EFCE3AAB0C7F1D338D52E26C525DD02B418A0
2.6.0
ArchitectureScopeDownloadSHA256
x64Download7BEB4DD1E19A72C328BBF7C0D7342D744EDBF5CBB082F227B2B76E04A21C16EF
2.5.3
ArchitectureScopeDownloadSHA256
x64Download545D87E096CAB55E213F25B6EC5C9A74C958F72D05182CEE1CD53A4EB6C2E561
2.5.2
ArchitectureScopeDownloadSHA256
x64DownloadFEF1C4731DA9112D4CF2F6D93AE2A1551C73116A4F73FAB7B0C15B38E95FF688
2.5.1
ArchitectureScopeDownloadSHA256
x64Download7A2B09ADD2620AD618A224B7F4BD6ADFA8BAEFA7526047C1FC0EC6C313D69CD6
2.5.0
ArchitectureScopeDownloadSHA256
x64Download2345667CBCF60767C1A6F678755CBB7465367761084E9D2CBB59AE0CC1A94437
2.4.3
ArchitectureScopeDownloadSHA256
x64DownloadA2AC24E197111C9430CB2A98F10A641164381AFB83DF036504868E4EA5720800
2.4.2
ArchitectureScopeDownloadSHA256
x64Download996E6B5E0CA712C3A2C0E182AEE957B85DF1EBA69BABAAE8A6349C0BCE0088DB
2.4.1
ArchitectureScopeDownloadSHA256
x64Download8D57F8A42A981D27290C4227271FA9F0F62CA6630EB4A21D316BD6B01405B87C
2.4.0
ArchitectureScopeDownloadSHA256
x64Download88F1ADDBAE6BDD83EC2C067470C1F56B6D0D3BA35F49AD34603F2502CB2933F3
2.3.0
ArchitectureScopeDownloadSHA256
x64Download7E91FD101DF73601B93061BC39DE734CDCAA26345D3BD8F925E0B53166DC0220