# Cosign binaries (runtime/signals signing)

## Preferred (system)
- Version: `v3.0.2`
- Path: `/usr/local/bin/cosign` (installed on WSL Debian host)
- Breaking change: v3 requires `--bundle <file>` when signing blobs; older `--output-signature`/`--output-certificate` pairs are deprecated.

## Offline fallback (repo-pinned)
- Version: `v2.6.0`
- Binary: `tools/cosign/cosign` → `tools/cosign/v2.6.0/cosign-linux-amd64`
- SHA256: `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`
- Check: `cd tools/cosign/v2.6.0 && sha256sum -c cosign_checksums.txt --ignore-missing`

## Usage examples
- v3 DSSE blob: `cosign sign-blob --key cosign.key --predicate-type stella.ops/confidenceDecayConfig@v1 --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml`
- v3 verify: `cosign verify-blob --bundle confidence_decay_config.sigstore.json decay/confidence_decay_config.yaml`
- To force offline fallback, export `PATH=./tools/cosign:$PATH` (ensures v2.6.0 is used).