cosign.md

$ COSIGN_EXPERIMENTAL=1 cosign sign k8s.gcr.io/kube-apiserver-amd64:v1.24.0 --output-signature foo.sig --upload=false --output-certificate foo.pem
Generating ephemeral keys...
 Retrieving signed certificate...
error opening browser: exit status 3
Go to the following link in a browser:

         https://oauth2.sigstore.dev/auth/.....
Enter verification code: ........
Successfully verified SCT...
tlog entry created with index: 2301486
using ephemeral certificate:
-----BEGIN CERTIFICATE-----
MIICEzCCAZigAwIBAgITcJBx6qDZ6gROSlRgfUO9Lz6AfzAKBggqhkjOPQQDAzAq
MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIy
MDUxMDE4MjMyMFoXDTIyMDUxMDE4MzMxOVowADBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABFHPuz1DoV7Bkl7fO127YuRYZVe0q4bdR4CexIe2k/hh4AwhN5w99ZQg
ew/HgJ6b2naCzy4ls8htXwdHscVHRVKjgcYwgcMwDgYDVR0PAQH/BAQDAgeAMBMG
A1UdJQQMMAoGCCsGAQUFBwMDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMJ7WZbF
FqZOkC2hwwPj4EYtdKaaMB8GA1UdIwQYMBaAFFjAHl+RRaVmqXrMkKGTItAqxcX6
MCAGA1UdEQEB/wQWMBSBEm1vc3MuMTI3QGdtYWlsLmNvbTAsBgorBgEEAYO/MAEB
BB5odHRwczovL2dpdGh1Yi5jb20vbG9naW4vb2F1dGgwCgYIKoZIzj0EAwMDaQAw
ZgIxAM+R7fF8VTn4F2pHh6eHSr4MW2CkmhFGAwurtvTdYz5TThVYmCWCqFaJT5y7
uWqv9wIxAL/Z+y+FXkWu95+EZAzRQaD5uKeaSyOtqJ7rHeEbg6yGFgp45P1/Qgpj
gRPdmqLLKg==
-----END CERTIFICATE-----

Certificate wrote in the file foo.pem

$ cosign verify k8s.gcr.io/kube-apiserver-amd64:v1.24.0 --signature foo.sig --cert foo.pem

Verification for k8s.gcr.io/kube-apiserver-amd64:v1.24.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"k8s.gcr.io/kube-apiserver-amd64"},"image":{"docker-manifest-digest":"sha256:c4b8eeef9a18fb047192dc0489de1106b111d2a5c515e3800ee198c5a36f4ed0"},"type":"cosign container image signature"},"optional":null}]