Table of Contents

Cosign Integration

Like sigstore-java and sigstore-python, sigstore-dotnet focuses on artifact signing and verification. Container image signing is handled by cosign — the bundles are fully interoperable.

Sign with cosign, verify with .NET

# Sign a container image and save the bundle
cosign sign-blob --yes --bundle bundle.sigstore.json --new-bundle-format artifact.tar.gz

# Verify the bundle with sigstore-dotnet
dotnet-sigstore verify-bundle \
  --bundle bundle.sigstore.json \
  --certificate-identity "..." \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  artifact.tar.gz

Sign with .NET, verify with cosign

# Sign with sigstore-dotnet
dotnet-sigstore sign-bundle \
  --identity-token "$TOKEN" \
  --bundle artifact.sigstore.json \
  artifact.tar.gz

# Verify with cosign
cosign verify-blob \
  --bundle artifact.sigstore.json \
  --new-bundle-format \
  --certificate-identity "..." \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  artifact.tar.gz

Interop guarantee

Cross-client compatibility is verified on every push by interop tests that sign and verify across cosign, sigstore-python, and sigstore-dotnet in both directions.

Edit this page