cosign
Installation
Entrypoint
Types
Cosign

cosign

keyless (Fulcio + Rekor, via an OIDC token) or with a private key. Digests
are signed concurrently. Callers deduplicate digests before signing, since
multiple tags often share one manifest.

Installation

dagger install github.com/MacroPower/x/toolchains/cosign@483dc69c30e485db85d928723096efa22c3603c6

Entrypoint

Return Type

Cosign !

Arguments

Name	Type	Default Value	Description
image	String	-	cosign container image.

Example

dagger -m github.com/MacroPower/x/toolchains/cosign@483dc69c30e485db85d928723096efa22c3603c6 call \

func (m *MyModule) Example() *dagger.Cosign  {
	return dag.
			Cosign()
}

@function
def example() -> dagger.Cosign:
	return (
		dag.cosign()
	)

@func()
example(): Cosign {
	return dag
		.cosign()
}

Types

Cosign 🔗

Cosign signs container image digests with Sigstore cosign. Create instances with [New].

image() 🔗

cosign container image reference.

Return Type

String !

Example

dagger -m github.com/MacroPower/x/toolchains/cosign@483dc69c30e485db85d928723096efa22c3603c6 call \
 image

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			Cosign().
			Image(ctx)
}

@function
async def example() -> str:
	return await (
		dag.cosign()
		.image()
	)

@func()
async example(): Promise<string> {
	return dag
		.cosign()
		.image()
}

binary() 🔗

Binary returns the cosign executable, extracted from the official image so it can be layered onto another container (e.g. a goreleaser release base, where goreleaser invokes cosign for blob signing).

Return Type

File !

Example

dagger -m github.com/MacroPower/x/toolchains/cosign@483dc69c30e485db85d928723096efa22c3603c6 call \
 binary

func (m *MyModule) Example() *dagger.File  {
	return dag.
			Cosign().
			Binary()
}

@function
def example() -> dagger.File:
	return (
		dag.cosign()
		.binary()
	)

@func()
example(): File {
	return dag
		.cosign()
		.binary()
}

signKeyless() 🔗

SignKeyless signs each digest using cosign keyless signing (FulcioCosign’s built-in GitHub Actions provider uses the OIDC request URL and token to fetch fresh tokens on demand, avoiding expiry issues. When registry credentials are supplied, a Docker config is mounted so cosign can push signatures to a private registry (cosign makes its own HTTP requests, which Dagger’s registry auth does not cover).

Return Type

Void !

Arguments

Name	Type	Default Value	Description
digests	[String ! ] !	-	Image digests to sign (e.g. "registry/image:tag@sha256:hex"). Caller should deduplicate by digest first.
oidcRequestUrl	String !	-	OIDC token request URL (GitHub Actions: ACTIONS_ID_TOKEN_REQUEST_URL).
oidcRequestToken	Secret !	-	Bearer token for the OIDC request (GitHub Actions: ACTIONS_ID_TOKEN_REQUEST_TOKEN).
registryHost	String	-	Registry host for cosign auth (e.g. "ghcr.io"). Required with a password.
registryUsername	String	-	Registry username for cosign auth.
registryPassword	Secret	-	Registry password/token for cosign auth. When set, a Docker config is mounted for cosign's own registry requests.

Example

dagger -m github.com/MacroPower/x/toolchains/cosign@483dc69c30e485db85d928723096efa22c3603c6 call \
 sign-keyless --digests string1 --digests string2 --oidc-request-url string --oidc-request-token env:MYSECRET

func (m *MyModule) Example(ctx context.Context, digests []string, oidcRequestUrl string, oidcRequestToken *dagger.Secret)   {
	return dag.
			Cosign().
			SignKeyless(ctx, digests, oidcRequestUrl, oidcRequestToken)
}

@function
async def example(digests: List[str], oidc_request_url: str, oidc_request_token: dagger.Secret) -> None:
	return await (
		dag.cosign()
		.sign_keyless(digests, oidc_request_url, oidc_request_token)
	)

@func()
async example(digests: string[], oidcRequestUrl: string, oidcRequestToken: Secret): Promise<void> {
	return dag
		.cosign()
		.signKeyless(digests, oidcRequestUrl, oidcRequestToken)
}

signWithKey() 🔗

SignWithKey signs each digest using a cosign private key (env://COSIGN_KEY). When registry credentials are supplied, a Docker config is mounted so cosign can push signatures to a private registry.

Return Type

Void !

Arguments

Name	Type	Default Value	Description
digests	[String ! ] !	-	Image digests to sign (e.g. "registry/image:tag@sha256:hex"). Caller should deduplicate by digest first.
key	Secret !	-	cosign private key (the contents of a cosign.key file).
password	Secret	-	Password for the cosign private key, if it is encrypted.
registryHost	String	-	Registry host for cosign auth (e.g. "ghcr.io"). Required with a password.
registryUsername	String	-	Registry username for cosign auth.
registryPassword	Secret	-	Registry password/token for cosign auth. When set, a Docker config is mounted for cosign's own registry requests.

Example

dagger -m github.com/MacroPower/x/toolchains/cosign@483dc69c30e485db85d928723096efa22c3603c6 call \
 sign-with-key --digests string1 --digests string2 --key env:MYSECRET

func (m *MyModule) Example(ctx context.Context, digests []string, key *dagger.Secret)   {
	return dag.
			Cosign().
			SignWithKey(ctx, digests, key)
}

@function
async def example(digests: List[str], key: dagger.Secret) -> None:
	return await (
		dag.cosign()
		.sign_with_key(digests, key)
	)

@func()
async example(digests: string[], key: Secret): Promise<void> {
	return dag
		.cosign()
		.signWithKey(digests, key)
}

withCosign() 🔗

WithCosign installs the cosign binary at /usr/local/bin/cosign in the given container, for tools (like goreleaser’s sign step) that invoke it directly.

Return Type

Container !

Arguments

Name	Type	Default Value	Description
ctr	Container !	-	Container to install cosign into.

Example

dagger -m github.com/MacroPower/x/toolchains/cosign@483dc69c30e485db85d928723096efa22c3603c6 call \
 with-cosign --ctr IMAGE:TAG

func (m *MyModule) Example(ctr *dagger.Container) *dagger.Container  {
	return dag.
			Cosign().
			WithCosign(ctr)
}

@function
def example(ctr: dagger.Container) -> dagger.Container:
	return (
		dag.cosign()
		.with_cosign(ctr)
	)

@func()
example(ctr: Container): Container {
	return dag
		.cosign()
		.withCosign(ctr)
}