Skip to content
BlueBuild. A minimal logo with a blue-billed duck holding a golden wrench in its beak. BlueBuild. A minimal logo with a blue-billed duck holding a golden wrench in its beak. BlueBuild

How to set up container signing with cosign

This guide shows you how to set up Sigstore container signing for a BlueBuild custom image repository. This guide is useful when manually setting up a new repository, or regenerating keys for a pre-existing one. Setting up container signing is important for security and verifiability. This guide requires either cosign or skopeo, so make sure one of those is installed before proceeding. If you don’t already have either one of those installed, it is recommended you install cosign.

  1. Inside your repository, generate a new key pair. Do NOT put in a password when it asks you to, just press enter. The signing key will be used in GitHub Actions and will not work if it is encrypted.
    • with cosign:
      Terminal window
      # generates cosign.pub and cosign.key
      cosign generate-key-pair
    • with skopeo:
      Terminal window
      # generates cosign.pub and cosign.private
      skopeo generate-sigstore-key --output-prefix cosign
  2. Add the private key to your GitHub repository secrets
    • This can be done manually on GitHub:
      1. Open your repository’s settings.
      2. From the sidebar, pick “Secrets and Variables” and “Actions”.
      3. Create a new repository secret called SIGNING_SECRET and for its value copy the contents of your cosign.key/cosign.private file.
    • This can also be done manually with the GitHub CLI, if that is installed:
      Terminal window
      gh secret set SIGNING_SECRET < cosign.key # or cosign.private
  3. Commit the cosign.pub file into your git repository, so that it can be used for verification. The file should always be in the root of your repository.