cosign for container image signing

In a previous blog post, I was mentioning about storing helm charts in the OCI registry. The trend of using OCI registry for storing not only container images is still growing, but how can we prove that stored artifacts are still mine. The same question we were asking about package registry for popular Linux distributions and it’s all about signing. Cosign is one of the answers to how we can sign and verify those artifacts. It’s a broader part of an initiative called sigstore, which promises digital signing, verification, and checks for provenance.

Cosign can act as a command-line tool with features:

One nice thing about cosign is that it works as an option by not modifying signing objects. How it is happen:

# try to verify not signed image
# cosign is trying to get artifacts which has the same digest as verifying image but with add '.sig' suffix
# 
$ cosign verify -d --key cosign.pub localhost:5000/image:latest
...
2022/02/12 17:11:06 --> GET http://localhost:5000/v2/image/manifests/sha256-ac677263055ae7402b87d78717f08410bd88641c081e4c31af532c52c782a5b8.sig
...
Error: no matching signatures:
# to get exact digest of cosign signature
$ cosign triangulate localhost:5000/image:latest
registry.internal:443/nginx-cosign:sha256-457a5fd926843da45fdeb078dbda1edee9e9ce31444086637bf4100fed7b3ee9.sig
# we can get that manifest using crane tool
$ crane manifest localhost:5000/nginx-cosign:sha256-457a5fd926843da45fdeb078dbda1edee9e9ce31444086637bf4100fed7b3ee9.sig   | jq
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "size": 233,
    "digest": "sha256:e39b3939a192ed8fde9a7c0379e2aa2a184df8303b858dbe4dad38185ff6d2b4"
  },
  "layers": [
    {
      "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
      "size": 250,
      "digest": "sha256:efed48b0c43a544f3490b2ce4f1661a18bf4fcfb8fa15ea5f84908ab46b309e1",
      "annotations": {
        "dev.cosignproject.cosign/signature": "MEQCIBmx7XTrp87lsGcd/eUTedSzk+SrMwiXvT0nj6gkk3M5AiAkQWEXX2a3qXtCSqDV639rMyk0bWRL1WWOP9radFwVtw=="
      }
    }
  ]
}

comments powered by Disqus
#cosign #sigstore #kubernetes

powered by Hugo and Noteworthy theme