Artefact signing with cosign

Requirements

OCI registry such as gitea, zot or distribution.

Self management key pair

Generate self sign key pair

To generate a key pair in Cosign, run cosign generate-key-pair. You’ll be interactively prompted to provide a password.

$ cosign generate-key-pair
Enter password for private key:
Enter again:
Private key written to cosign.key
Public key written to cosign.pub

Importing Key pairs

Currently only supports RSA and ECDSA private keys in PEM format

To use a local key not generated by cosign for signing, the key must be imported. To use a key stored in a KMS, importing is not necessary and the key can be specified by resource name.

The importing of a key pair with cosign is as follows.

$ cosign import-key-pair --key opensslrsakey.pem
Enter password for private key:
Enter password for private key again:
Private key written to import-cosign.key
Public key written to import-cosign.pub

To be able to interact with the registry cosign needs some credentials

cosign login $REGISTRY -u $USER -p $PASSWORD

Signing containers

Sign with a local key pair and without rekor

This usage is a common use case that uses traditional key signing from a key pair.

IMAGE should contains the image hash as the signature is applied to a hashed oci artifact.

cosign sign --key cosign.key $IMAGE --tlog-upload=false

If you need to generate local keys, you can do so by running cosign generate-key-pair.

Signing helm charts

Helm charts must be pushed with helm command line to the oci registry.

helm registry login $REGISTRY

To push helm chart

helm push $CHART oci://$REGISTRY/$PATH

The command will return a hash use it to sign with cosign.

cosign sign --key cosign.key $REGISTRY/$PATH@$HASH --tlog-upload=false

Blob signing

Blob maybe either a file or a binary.

cosign upload blob -f $BLOB $REGISTRY/$PATH

The command will output the full path to the image use it to sign the blob.

cosign sign --key cosign.key $REGISTRY/$PATH@$HASH --tlog-upload=false

Exporting artifact

To export an artifact run the following command

cosign save $REGISTRY/$PATH@$HASH --dir=$EXTRACT_PATH

The command will output an oci-layout image to $EXTRACT_PATH which contains the artifact himself and the signature.

To send the artifact it may be compressed in an archive.

tar czf artifact.tgz $EXTRACT_PATH

Verifying signature

To verify the image public key must be transferred to the target.

Locally

The artifact may be verified locally before import and after it has been decompressed.

tar xf artifact.tgz -C $IMPORT_PATH
cosign verify --key cosign.pub --local-image $IMPORT_PATH --insecure-ignore-tlog

WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.

Verification for $IMPORT_PATH --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

From registry

cosign verify --key cosign.pub $REGISTRY/$PATH@$HASH --insecure-ignore-tlog

Importing artifact

To import the artifact run

cosign load --dir=$IMPORT_PATH $REGISTRY/$PATH

Requirements​

Self management key pair​

Generate self sign key pair​

Importing Key pairs​

Login to a registry​

Signing containers​

Sign with a local key pair and without rekor​

Signing helm charts​

Blob signing​

Exporting artifact​

Verifying signature​

Locally​

From registry​

Importing artifact​