Skip to content

Instantly share code, notes, and snippets.

@qjoly

qjoly/COSIGN.MD

Last active August 18, 2024 22:50
Show Gist options
  • Save qjoly/d0fe88f07fc253012add015244b49c62 to your computer and use it in GitHub Desktop.
Save qjoly/d0fe88f07fc253012add015244b49c62 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
COSIGN.MD

I have many Docker images to maintain (mostly personal projects) but I have no way of verifying the authenticity of my images. To add an extra layer of security, I decided to POC the use of Cosign.

There are many alternatives, but some require the maintenance of a key management server or are just less popular than Cosign.

Requirements

Generate a cosign signature

  1. Build your Docker image.
docker build -t harbor.coffee.internal/app:v1.0.0 .
  1. Generate certificates for Cosign.
cosign generate-key-pair

Enter password for private key: 
Enter password for private key again: 
Private key written to cosign.key
Public key written to cosign.pub

You'll get 2 files (cosign.key and cosign.pub), one to create the signatures, the other for your users to check the authenticity of the signatures.

You can use the public registry rekor.sigstore.dev to avoid having to generate the signature and private key. But in my case: I prefer to handle this part myself.

  1. Get the digest of the image :
docker inspect harbor.coffee.internal/app:v1.0.0 | jq -r '.[0].RepoDigests[0]'

harbor.coffee.internal/app:v1.0.0@sha256:334e64b05ac2ba711cf63b8814e10148db26d525f0a847020630b484bb6ef30c
  1. Generate and push the signature
sudo cosign sign harbor.coffee.internal/app:v1.0.0@sha256:334e64b05ac2ba711cf63b8814e10148db26d525f0a847020630b484bb6ef30c

Cosign will generate an OCI artifact with the same image name, but using the digest shasum as tag

In this example, the artifact generated and pushed is as follows : harbor.coffee.internal/app:sha256:334e64b05ac2ba711cf63b8814e10148db26d525f0a847020630b484bb6ef30c.sig

Verify an image

As a user, I need to retrieve the cosign.pub file to check that the signature has been generated with the correct cosign.key file (which I don't have access to).

sudo cosign verify --private-infrastructure --key cosign.pub harbor.coffee.internal/app:v1.0.0

Verification for harbor.coffee.internal/app:v1.0.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"harbor.coffee.internal/app"},"image":{"docker-manifest-digest":"sha256:334e64b05ac2ba711cf63b8814e10148db26d525f0a847020630b484bb6ef30c"},"type":"cosign container image signature"},"optional":null}]

Since I'm not using the sigstore registry (rektor), I need to specify the --private-infrastructure argument.

Using Github Action

To generate signatures directly from Github Action, we need to generate the cosign.key and cosign.pub files ourselves (via cosign generate-key-pair).

We also need to create the following secrets:

  • COSIGN_PRIVATE corresponding to the cosign.key file.
  • COSIGN_PASSWORD containing the password for the private key.
      - name: Building Image
        run: |
          docker build -t ghcr.io/une-tasse-de-cafe/app:latest -f ./Dockerfile.app .

      - name: Install Cosign
        uses: sigstore/[email protected]
        with:
          cosign-release: 'v2.4.0'

      - name: Generate signature artifact
        run: |
            cosign sign --key env://COSIGN_PRIVATE ghcr.io/une-tasse-de-cafe/app:latest
        shell: bash
        env:
          COSIGN_PRIVATE: ${{secrets.COSIGN_PRIVATE}}
          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}

Further information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment