Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Linux Signing

Sign Linux release archives using one of three methods: cosign (keyless OIDC), minisign (self-managed keys), or gpg (detached signatures).

Usage

cargo codesign linux --archive target/release/myapp.tar.gz

The signing method is determined by [linux] method in sign.toml. Override it at the command line:

cargo codesign linux --archive release.tar.gz --method cosign
cargo codesign linux --archive release.tar.gz --method minisign
cargo codesign linux --archive release.tar.gz --method gpg

Specify a custom output path for the signature file:

cargo codesign linux --archive release.tar.gz --output release.tar.gz.cosign-bundle

Methods

cosign (keyless OIDC)

Recommended for GitHub Actions. Uses Sigstore keyless signing via OIDC — no private key management required.

Produces a .bundle file alongside the archive.

minisign

Self-managed key signing via minisign. The private key is read from the environment variable configured in [linux.env] key.

Produces a .minisig file alongside the archive.

gpg

Standard GPG detached signatures. Uses the default GPG key on the system.

Produces a .sig file alongside the archive.

Configuration

[linux]
method = "cosign"

[linux.env]
key = "COSIGN_PRIVATE_KEY"

See the sign.toml Reference for full details, and Setting Up Credentials for how to obtain signing credentials.