1. Home
  2. /
  3. Use cases
  4. /
  5. Sign container images with Cosign and SignServer

Sign container images with Cosign and SignServer

Signed container images can be created with SignServer together with Cosign. A signed container image allows you to verify where an image came from, to ensure it was not tampered with and that only trusted images are pulled into your systems.

Sigstore cosign logo

Cosign for container signing with SignServer

A container signature identifies and authenticates who signed the image and carries a signed payload in a JSON file that identifies the signed image.

Cosign is a tool for container signing and verification from the Sigstore project of the Linux foundation. It allows storing signatures alongside an image or artifact in the Open Container Initiative (OCI) registry. By combining Cosign with SignServer, you get the addition of centralized signing, secure key management, and a way to harmonize signing processes. For more information about Cosign, see the Cosign documentation.

How to get started

To sign a container image, you first use Cosign to generate a payload containing the digest of the container image. Then, use SignServer to sign the payload and finally attach the signed payload to the container image in the registry using Cosign.

Cosign can later be used to verify that the digest of the signature payload matches the digest of the container image that the signature attached to.

The following video tutorial will demonstrate how you can use SignServer to sign a payload generated by Cosign and use Cosign to verify the signed container image.

We will show how to: 

  • Create signing key and CSR in SignServer
  • Issue signing certificate
  • Activate signing worker in SignServer
  • Create Docker container image
  • Create container signature payload with Cosign
  • Sign payload with SignServer
  • Attach signed payload to container with Cosign
  • Verify signed container image with Cosign


  • This tutorial uses an Arch Linux installation and SignServer Community and EJBCA Community Docker containers.
  • In addition, before you begin with this tutorial, you need an instance of SignServer and EJBCA running.





Check out the supplementary documentation that goes hand-in-hand with our tutorial video.

Docker Hub

Get your hands on the SignServer Docker container by downloading it now from Docker Hub.


Take a peek at our tutorial video on YouTube, and browse through some of our other videos as well.


Join our discussions to ask questions and share ideas.

Related open-source projects