docs/documentation/platform/kms/sigstore-cosign.mdx
Infisical KMS integrates with Sigstore Cosign through the sigstore-kms-infisical plugin, enabling you to sign and verify container images and artifacts using keys managed in Infisical.
| Capability | Supported |
|---|---|
| DefaultAlgorithm | RSA_4096 |
| SupportedAlgorithms | RSA_4096, ECC_NIST_P256 |
| CreateKey | ✅ |
| PublicKey | ✅ |
| SignMessage | ✅ |
| VerifyMessage | ✅ |
```bash
git clone https://github.com/Infisical/sigstore-kms-infisical.git
cd sigstore-kms-infisical
go build -o sigstore-kms-infisical
cp sigstore-kms-infisical /usr/local/bin
```
Set the following environment variables:
```bash
export INFISICAL_SITE_URL="https://app.infisical.com"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="<machine-identity-client-id>"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="<machine-identity-client-secret>"
export INFISICAL_PROJECT_ID="<infisical-kms-project-id>"
```
<Note>
For self-hosted Infisical instances, set `INFISICAL_SITE_URL` to your instance's URL.
</Note>
cosign sign --key "infisical://{KMS_KEY_NAME}" --tlog-upload=false my-repo/image:v1
cosign verify --key "infisical://{KMS_KEY_NAME}" --insecure-ignore-tlog=true my-repo/image:v1
cosign generate-key-pair --kms infisical://{NEW_KEY_NAME}
This creates an RSA 4096 KMS key with the specified name, which you can then use for signing and verification.