Skip to main content
Infisical KMS integrates with Sigstore Cosign through the sigstore-kms-infisical plugin, enabling you to sign and verify container images and artifacts using keys managed in Infisical.

KMS Plugin Capabilities

Setup

1

Install the Plugin

For the Sigstore library to invoke the plugin, the binary must be in your system’s PATH.
2

Configure Environment Variables

The plugin uses environment variables for authentication. Currently only Machine Identity Universal Auth is supported.Set the following environment variables:
For self-hosted Infisical instances, set INFISICAL_SITE_URL to your instance’s URL.

Usage

Signing a Container Image

Verifying a Container Image

Creating a New Key Pair

This creates an RSA 4096 KMS key with the specified name, which you can then use for signing and verification.