Signing Container Images with Cosign and GitHub OIDC

In today’s cloud-native world, ensuring the integrity and authenticity of container images is crucial. Signing images provides a way to verify that the images have not been tampered with and are from a trusted source. In this post, we’ll explore how to sign container images using Cosign from the Sigstore project and verify them using GitHub’s OIDC token.

Cosign is a tool designed to make signatures an invisible part of the infrastructure. It supports keyless signing with the Sigstore public good Fulcio certificate authority and Rekor transparency log, hardware and KMS signing, and signing with a Cosign-generated encrypted private/public keypair. Cosign also allows for container signing, verification, and storage in an OCI registry, and supports bring-your-own PKI.

Why Sign Container Images?

Container images are the building blocks of modern applications. They are often pulled from public or private registries and used in various environments. Without proper signing, there’s a risk of deploying compromised images, leading to potential security breaches. Signing images ensures that only verified and trusted images are used in your deployments.

Signing Images with Cosign and GitHub OIDC

Cosign, part of the Sigstore project, provides a seamless way to sign and verify container images. One of the key advantages of using Cosign with GitHub’s OIDC token is the elimination of long-lived credentials. Long-lived credentials pose a security risk as they can be compromised and used maliciously if not managed properly. By using short-lived keys, such as those provided by GitHub’s OIDC token, we reduce the attack surface significantly. These tokens are ephemeral and automatically managed by GitHub, ensuring that each signing operation is secure and isolated.

Additionally, when using GitHub OIDC tokens, there is no need to set up Rekor and Fulcio manually. The tokens provide the necessary authentication, simplifying the setup process and making it easier to integrate into existing CI/CD pipelines.

Step-by-Step Guide

  1. Setup GitHub Actions: Use GitHub Actions to automate the signing process. Ensure your workflow has permissions set to allow writing the id-token for authentication. This can be done by adding the following to your workflow:

    permissions:
  id-token: write

  2. Install Cosign: Add a step in your workflow to install Cosign.

    - name: Install Cosign
  uses: sigstore/cosign-installer@v3.8.1

  3. Sign the Image: Use Cosign to sign the image. The GitHub OIDC token will be used for authentication.

    - name: Sign container image
  run: |
        cosign sign --yes ${IMAGE_PATH}@${DIGEST}

  4. Verify the Image: After signing, verify the image to ensure the signature is valid.

    - name: Verify container image
  run: |
        cosign verify ghcr.io/$REPO/$IMAGE:$TAG --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/$REPO" -o text

Summary

By signing container images with Cosign and verifying them using GitHub’s OIDC token, you can enhance the security of your software supply chain. This approach eliminates the need for managing long-lived credentials and ensures that only trusted images are deployed. Signing images is a critical step in securing your applications, and with tools like Cosign, it’s easier than ever to integrate this into your CI/CD pipelines.

comments powered by Disqus
#cosign #sigstore #github #oidc

powered by Hugo and Noteworthy theme