Skip to main content

Container signing using GitHub Actions

DigiCert container signing enables teams to sign container images directly within GitHub Actions workflows. This action integrates Software Trust with CoSign, providing a secure, automated, and scalable solution for validating container integrity before deployment.

This action handles the setup of the DigiCert​​®​​ container signer tool, manages PKCS#11 configuration automatically, performs key and certificate handling, and supports both single-architecture and multi-architecture image signing. Optional signature verification and healthchecks help ensure reliable, end-to-end signing workflows.

To learn more and get started, review our documentation in GitHub.

Features

Centralized, secure signing

  • Uses Software Trust for authenticated, certificate-based signing

  • Automatically extracts the PKCS#11 module path and handles secure client certificate creation

Streamlined CI/CD Integration

  • Runs fully inside GitHub Actions using the DigiCert​​®​​ container signer image

  • Supports signing for private or public registries with optional authentication

Flexible image support

  • Works with both single-architecture and multi-architecture images

  • Offers optional recursive signing and signature verification for enhanced trust

Built-in reliability

  • Includes Software Trust connectivity checks, version checks for CoSign and SMCTL, and comprehensive error handling

  • Provides verbose logging options for easier debugging

In this section: