{"id":38305221,"url":"https://github.com/juburr/cosign-orb","last_synced_at":"2026-02-01T00:27:46.594Z","repository":{"id":221572775,"uuid":"754739140","full_name":"juburr/cosign-orb","owner":"juburr","description":"A simple CircleCI orb used to install Cosign and sign container images","archived":false,"fork":false,"pushed_at":"2025-08-24T13:39:52.000Z","size":718,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-17T12:58:08.741Z","etag":null,"topics":["circleci","circleci-orb","container-security","cosign","docker-signatures","signature-verification","signatures","sigstore","supply-chain-security"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/juburr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-02-08T17:14:26.000Z","updated_at":"2025-08-24T13:39:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"5639fa3c-e429-4ec7-9a1a-093a007636d2","html_url":"https://github.com/juburr/cosign-orb","commit_stats":null,"previous_names":["juburr/cosign-orb"],"tags_count":25,"template":false,"template_full_name":null,"purl":"pkg:github/juburr/cosign-orb","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juburr%2Fcosign-orb","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juburr%2Fcosign-orb/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juburr%2Fcosign-orb/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juburr%2Fcosign-orb/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/juburr","download_url":"https://codeload.github.com/juburr/cosign-orb/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juburr%2Fcosign-orb/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28961837,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-31T23:03:11.038Z","status":"ssl_error","status_checked_at":"2026-01-31T22:56:44.691Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["circleci","circleci-orb","container-security","cosign","docker-signatures","signature-verification","signatures","sigstore","supply-chain-security"],"created_at":"2026-01-17T02:26:43.510Z","updated_at":"2026-02-01T00:27:46.563Z","avatar_url":"https://github.com/juburr.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg align=\"center\" width=\"320\" src=\"assets/logos/cosign-orb.png\" alt=\"Cosign Orb\"\u003e\n  \u003ch1\u003eCircleCI Cosign Orb\u003c/h1\u003e\n  \u003ci\u003eAn orb for simplifying Cosign installation and use within CircleCI.\u003c/i\u003e\u003cbr /\u003e\u003cbr /\u003e\n\u003c/div\u003e\n\n[![CircleCI Build Status](https://circleci.com/gh/juburr/cosign-orb.svg?style=shield \"CircleCI Build Status\")](https://circleci.com/gh/juburr/cosign-orb) [![CircleCI Orb Version](https://badges.circleci.com/orbs/juburr/cosign-orb.svg)](https://circleci.com/developer/orbs/orb/juburr/cosign-orb) [![GitHub License](https://img.shields.io/badge/license-MIT-lightgrey.svg)](https://raw.githubusercontent.com/juburr/cosign-orb/master/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs)\n\nThis is an unofficial Cosign orb for installing Cosign in your CircleCI pipeline. Use it to sign container images and verify signatures.\n\nThis orb is primarily intended for use by private organizations at this time. Notice that the convenience commands provided in the initial version of this orb don't attempt to use keyless signing, upload to transparency logs, etc. They assume a simple setup with a public/private key pair stored as base64 encoded secrets within a CircleCI context. If advanced features are needed, you can use this orb for installation only and then run the cosign binary with your own arguments. Contributions are welcome!\n\n## Features\n### **Secure By Design**\n- **Least Privilege**: Installs to a user-owned directory by default, with no `sudo` usage anywhere in this orb.\n- **Integrity**: Checksum validation of all downloaded binaries using SHA-512.\n- **Provenance**: Installs directly from Cosign's official [releases page](https://github.com/sigstore/cosign/releases/) on GitHub. No third-party websites, domains, or proxies are used.\n- **Confidentiality**: All secrets and environment variables are handled in accordance with CircleCI's [security recommendations](https://circleci.com/docs/security-recommendations/) and [best practices](https://circleci.com/docs/orbs-best-practices/).\n- **Privacy**: No usage data of any kind is collected or shipped back to the orb developer.\n\nInfo for security teams:\n- Required external access to allow, if running a locked down, self-hosted CircleCI pipeline on-prem:\n  - `github.com`: For download and installation of the Cosign tool using HTTPS.\n\n## Usage\n\n### Installation\n\nUse the `cosign-orb` to handle installation of Cosign within your CircleCI pipeline without needing to create a custom base image. After installation, you can then use the `cosign` command anywhere within your job. Caching is supported if you want to prevent re-downloading Cosign on successive runs of your pipeline, though the download and installation are normally extremely fast.\n\n\n```yaml\nversion: 2.1\n\norbs:\n  cosign: juburr/cosign-orb@latest\n\nparameters:\n  cimg_base_version:\n    type: string\n    default: \"current-22.04\"\n  cosign_version:\n    type: string\n    default: \"2.5.2\"\n\njobs:\n  sign_container:\n    docker:\n      - image: cimg/base:\u003c\u003c pipeline.parameters.cimg_base_version \u003e\u003e\n    steps:\n      - checkout\n      - cosign/install:\n          caching: true\n          verify_checksums: strict\n          version: \u003c\u003c pipeline.parameters.cosign_version \u003e\u003e\n      - run:\n          name: Run Custom Cosign Commands\n          command: |\n            # Use the cosign binary however you'd like here...\n            cosign version\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjuburr%2Fcosign-orb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjuburr%2Fcosign-orb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjuburr%2Fcosign-orb/lists"}