> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Sigstore Cosign Integration

> Sign and verify container images and artifacts using Infisical KMS with Sigstore Cosign.

Infisical KMS integrates with [Sigstore Cosign](https://github.com/sigstore/cosign) through the [sigstore-kms-infisical](https://github.com/Infisical/sigstore-kms-infisical) plugin, enabling you to sign and verify container images and artifacts using keys managed in Infisical.

### KMS Plugin Capabilities

| Capability          | Supported                  |
| ------------------- | -------------------------- |
| DefaultAlgorithm    | RSA\_4096                  |
| SupportedAlgorithms | RSA\_4096, ECC\_NIST\_P256 |
| CreateKey           | ✅                          |
| PublicKey           | ✅                          |
| SignMessage         | ✅                          |
| VerifyMessage       | ✅                          |

## Setup

<Steps>
  <Step title="Install the Plugin">
    For the Sigstore library to invoke the plugin, the binary must be in your system's `PATH`.

    ```bash theme={"dark"}
    git clone https://github.com/Infisical/sigstore-kms-infisical.git
    cd sigstore-kms-infisical
    go build -o sigstore-kms-infisical
    cp sigstore-kms-infisical /usr/local/bin
    ```
  </Step>

  <Step title="Configure Environment Variables">
    The plugin uses environment variables for authentication. Currently only [Machine Identity Universal Auth](/documentation/platform/identities/universal-auth) is supported.

    Set the following environment variables:

    ```bash theme={"dark"}
    export INFISICAL_SITE_URL="https://app.infisical.com"
    export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="<machine-identity-client-id>"
    export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="<machine-identity-client-secret>"
    export INFISICAL_PROJECT_ID="<infisical-kms-project-id>"
    ```

    <Note>
      For self-hosted Infisical instances, set `INFISICAL_SITE_URL` to your instance's URL.
    </Note>
  </Step>
</Steps>

## Usage

### Signing a Container Image

```bash theme={"dark"}
cosign sign --key "infisical://{KMS_KEY_NAME}" --tlog-upload=false my-repo/image:v1
```

### Verifying a Container Image

```bash theme={"dark"}
cosign verify --key "infisical://{KMS_KEY_NAME}" --insecure-ignore-tlog=true my-repo/image:v1
```

### Creating a New Key Pair

```bash theme={"dark"}
cosign generate-key-pair --kms infisical://{NEW_KEY_NAME}
```

This creates an RSA 4096 KMS key with the specified name, which you can then use for signing and verification.
