Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
package

GitHub Action

cosign-installer

v3.4.0

cosign-installer

package

cosign-installer

Installs cosign and includes it in your path

Installation

Copy and paste the following snippet into your .yml file.

              

- name: cosign-installer

uses: sigstore/[email protected]

Learn more about this action in sigstore/cosign-installer

Choose a version

cosign-installer GitHub Action

This action enables you to sign and verify container images using cosign. cosign-installer verifies the integrity of the cosign release during installation.

For a quick start guide on the usage of cosign, please refer to https://github.com/sigstore/cosign#quick-start. For available cosign releases, see https://github.com/sigstore/cosign/releases.

Usage

This action currently supports GitHub-provided Linux, macOS and Windows runners (self-hosted runners may not work).

Add the following entry to your Github workflow YAML file:

uses: sigstore/[email protected]
with:
  cosign-release: 'v2.2.2' # optional

Example using a pinned version:

jobs:
  example:
    runs-on: ubuntu-latest

    permissions: {}

    name: Install Cosign
    steps:
      - name: Install Cosign
        uses: sigstore/[email protected]
        with:
          cosign-release: 'v2.2.2'
      - name: Check install!
        run: cosign version

Example using the default version:

jobs:
  example:
    runs-on: ubuntu-latest

    permissions: {}

    name: Install Cosign
    steps:
      - name: Install Cosign
        uses: sigstore/[email protected]
      - name: Check install!
        run: cosign version

If you want to install cosign from its main version by using 'go install' under the hood, you can set 'cosign-release' as 'main'. Once you did that, cosign will be installed via 'go install' which means that please ensure that go is installed.

Example of installing cosign via go install:

jobs:
  example:
    runs-on: ubuntu-latest

    permissions: {}

    name: Install Cosign via go install
    steps:
      - name: Install go
        uses: actions/setup-go@v4
        with:
          go-version: '1.21'
          check-latest: true
      - name: Install Cosign
        uses: sigstore/[email protected]
        with:
          cosign-release: main
      - name: Check install!
        run: cosign version

This action does not need any GitHub permission to run, however, if your workflow needs to update, create or perform any action against your repository, then you should change the scope of the permission appropriately.

For example, if you are using the gcr.io as your registry to push the images you will need to give the write permission to the packages scope.

Example of a simple workflow:

jobs:
  build-image:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      packages: write
      id-token: write # needed for signing the images with GitHub OIDC Token

    name: build-image
    steps:
      - uses: actions/[email protected]
        with:
          fetch-depth: 1

      - name: Install Cosign
        uses: sigstore/[email protected]

      - name: Set up QEMU
        uses: docker/[email protected]

      - name: Set up Docker Buildx
        uses: docker/[email protected]

      - name: Login to GitHub Container Registry
        uses: docker/[email protected]
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - id: docker_meta
        uses: docker/[email protected]
        with:
          images: ghcr.io/sigstore/sample-honk
          tags: type=sha,format=long

      - name: Build and Push container images
        uses: docker/[email protected]
        id: build-and-push
        with:
          platforms: linux/amd64,linux/arm/v7,linux/arm64
          push: true
          tags: ${{ steps.docker_meta.outputs.tags }}

      # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
      - name: Sign image with a key
        run: |
          images=""
          for tag in ${TAGS}; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${images}
        env:
          TAGS: ${{ steps.docker_meta.outputs.tags }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}

      - name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
          TAGS: ${{ steps.docker_meta.outputs.tags }}
        run: |
          images=""
          for tag in ${TAGS}; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes ${images}

Optional Inputs

The following optional inputs:

Input Description
cosign-release cosign version to use instead of the default.
install-dir directory to place the cosign binary into instead of the default ($HOME/.cosign).
use-sudo set to true if install-dir location requires sudo privs. Defaults to false.

Security

Should you discover any security issues, please refer to Sigstore's security process