Viewing docs for cosign 0.4.4
published on Monday, May 11, 2026 by chainguard-dev
published on Monday, May 11, 2026 by chainguard-dev
Cosign Provider
I want to use the Pulumi cosign package (cosign) in my project.
## Provider details
- Package: cosign
- Version: 0.4.4
- Publisher: chainguard-dev
- Source: opentofu
- Repository: https://github.com/chainguard-dev/terraform-provider-cosign
## Documentation
The Pulumi Cloud Registry API serves canonical, up-to-date docs for this package — including private packages and every published version. Send the "Accept: text/markdown" header for clean readable content, or "application/json" for structured data.
Start at the navigation tree, which cross-links to the readme, installation guide, and per-resource docs URL template:
- https://api.pulumi.com/api/registry/packages/opentofu/chainguard-dev/cosign/versions/latest/nav
Returns a summary by default. The full tree can be hundreds of kB for large providers, so prefer targeted search: append "?q=<query>&depth=full" to filter by resource/function title or token (for example "?q=bucket&depth=full"). Only request the full nav without a query if you actually need to enumerate every resource.
Other endpoints:
- Overview and getting started: https://api.pulumi.com/api/registry/packages/opentofu/chainguard-dev/cosign/versions/latest/readme
- Installation and configuration: https://api.pulumi.com/api/registry/packages/opentofu/chainguard-dev/cosign/versions/latest/installation
- Per-resource/function docs: https://api.pulumi.com/api/registry/packages/opentofu/chainguard-dev/cosign/versions/latest/docs/{token}?lang={lang}
Replace {token} with the percent-encoded token from the nav response (for example aws:s3/bucket:Bucket).
Replace {lang} with typescript, python, go, csharp, java, or yaml.
Fetch the installation endpoint above for the correct setup steps — install instructions vary between native providers, bridged Terraform providers, and component packages.
Help me get started using this provider. Show me a complete Pulumi program that provisions a common resource, including all necessary configuration and imports.
Viewing docs for cosign 0.4.4
published on Monday, May 11, 2026 by chainguard-dev
published on Monday, May 11, 2026 by chainguard-dev
Generate Provider
The Cosign provider must be installed as a Local Package by following the instructions for Any Terraform Provider:
pulumi package add terraform-provider chainguard-dev/cosign
Usage
Verify
This provides a cosign.getVerify function, which can be used with any
containerized infrastructure rules to enforce deploy-time policy checking:
# Pulumi.yaml provider configuration file
name: configuration-example
runtime:
Example currently unavailable in this language
Example currently unavailable in this language
Example currently unavailable in this language
Example currently unavailable in this language
Example currently unavailable in this language
Example currently unavailable in this language
Configuration Reference
defaultAttestationEntryType(String) Default Rekor entry type to use for attestations. Valid values are ‘intoto’ (default) or ‘dsse’.defaultSignatureFormat(String) Default signature format to use for signing. Valid values are ’legacy’ (default), ‘bundle’, or ‘both’. Can be overridden per-resource.timeout(String) Timeout for signing and attestation operations, as a Go duration string (e.g. ‘5m’, ‘10m’). Defaults to ‘3m’.
Sign
This provider also exposes cosign.Sign and cosign.Attest resources that will
sign and attest a provided OCI digest, which is intended to compose with
OCI providers such as ko,
apko, and
oci.
import * as pulumi from "@pulumi/pulumi";
import * as cosign from "@pulumi/cosign";
const example = new cosign.Sign("example", {image: image_build.imageRef});
import pulumi
import pulumi_cosign as cosign
example = cosign.Sign("example", image=image_build["imageRef"])
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Cosign = Pulumi.Cosign;
return await Deployment.RunAsync(() =>
{
var example = new Cosign.Sign("example", new()
{
Image = image_build.ImageRef,
});
});
package main
import (
"github.com/pulumi/pulumi-pulumi-provider/sdks/go/cosign/cosign"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cosign.NewSign(ctx, "example", &cosign.SignArgs{
Image: pulumi.Any(image_build.ImageRef),
})
if err != nil {
return err
}
return nil
})
}
resources:
example:
type: cosign:Sign
properties:
image: ${["image-build"].imageRef}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cosign.Sign;
import com.pulumi.cosign.SignArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Sign("example", SignArgs.builder()
.image(image_build.imageRef())
.build());
}
}
Attest
import * as pulumi from "@pulumi/pulumi";
import * as cosign from "@pulumi/cosign";
const example = new cosign.Attest("example", {
image: exampleCosignSign.signedRef,
predicates: [
{
type: "https://example.com/my/predicate/type",
json: JSON.stringify({}),
},
{
type: "https://example.com/my/predicate/too-big-for-pulumi.tfstate",
files: {
path: "/tmp/giant-file.json",
sha256: "74af7407b59f9021f76a6f9ee66149c5df1ef6442617a805a7860ce18074158d",
},
},
],
});
import pulumi
import json
import pulumi_cosign as cosign
example = cosign.Attest("example",
image=example_cosign_sign["signedRef"],
predicates=[
{
"type": "https://example.com/my/predicate/type",
"json": json.dumps({}),
},
{
"type": "https://example.com/my/predicate/too-big-for-pulumi.tfstate",
"files": {
"path": "/tmp/giant-file.json",
"sha256": "74af7407b59f9021f76a6f9ee66149c5df1ef6442617a805a7860ce18074158d",
},
},
])
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Cosign = Pulumi.Cosign;
return await Deployment.RunAsync(() =>
{
var example = new Cosign.Attest("example", new()
{
Image = exampleCosignSign.SignedRef,
Predicates = new[]
{
new Cosign.Inputs.AttestPredicateArgs
{
Type = "https://example.com/my/predicate/type",
Json = JsonSerializer.Serialize(new Dictionary<string, object?>
{
}),
},
new Cosign.Inputs.AttestPredicateArgs
{
Type = "https://example.com/my/predicate/too-big-for-pulumi.tfstate",
Files =
{
{ "path", "/tmp/giant-file.json" },
{ "sha256", "74af7407b59f9021f76a6f9ee66149c5df1ef6442617a805a7860ce18074158d" },
},
},
},
});
});
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-pulumi-provider/sdks/go/cosign/cosign"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal(map[string]interface{}{})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = cosign.NewAttest(ctx, "example", &cosign.AttestArgs{
Image: pulumi.Any(exampleCosignSign.SignedRef),
Predicates: cosign.AttestPredicateArray{
&cosign.AttestPredicateArgs{
Type: pulumi.String("https://example.com/my/predicate/type"),
Json: pulumi.String(json0),
},
&cosign.AttestPredicateArgs{
Type: pulumi.String("https://example.com/my/predicate/too-big-for-pulumi.tfstate"),
Files: cosign.AttestPredicateFileArray{
Path: "/tmp/giant-file.json",
Sha256: "74af7407b59f9021f76a6f9ee66149c5df1ef6442617a805a7860ce18074158d",
},
},
},
})
if err != nil {
return err
}
return nil
})
}
resources:
example:
type: cosign:Attest
properties:
image: ${exampleCosignSign.signedRef}
predicates:
- type: https://example.com/my/predicate/type
json:
fn::toJSON: {}
- type: https://example.com/my/predicate/too-big-for-pulumi.tfstate
files:
path: /tmp/giant-file.json
sha256: 74af7407b59f9021f76a6f9ee66149c5df1ef6442617a805a7860ce18074158d
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cosign.Attest;
import com.pulumi.cosign.AttestArgs;
import com.pulumi.cosign.inputs.AttestPredicateArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Attest("example", AttestArgs.builder()
.image(exampleCosignSign.signedRef())
.predicates(
AttestPredicateArgs.builder()
.type("https://example.com/my/predicate/type")
.json(serializeJson(
jsonObject(
)))
.build(),
AttestPredicateArgs.builder()
.type("https://example.com/my/predicate/too-big-for-pulumi.tfstate")
.files(AttestPredicateFileArgs.builder()
.path("/tmp/giant-file.json")
.sha256("74af7407b59f9021f76a6f9ee66149c5df1ef6442617a805a7860ce18074158d")
.build())
.build())
.build());
}
}
Environment Variables
| Name | Default | Description |
|---|---|---|
| TF_COSIGN_LOCAL | Enables interative signing with Cosign locally (browser based flow only). | |
| TF_COSIGN_CONNECTOR_ID | Configures Sigstore Connector ID for local based signing. | |
| TF_COSIGN_ISSUER | https://oauth2.sigstore.dev/auth | Configures Sigstore token issuer. |
| TF_COSIGN_CLIENT_SECRET | Configures Sigstore OAuth Client Secret. | |
| TF_COSIGN_REDIRECT_URL | Configures Sigstore interactive OAuth redirect URL. If empty, a random localhost port is used. | |
| TF_COSIGN_DISABLE | Disables all cosign operations. |
Viewing docs for cosign 0.4.4
published on Monday, May 11, 2026 by chainguard-dev
published on Monday, May 11, 2026 by chainguard-dev
