Sign images using cosign #1891

MindTooth · 2024-02-15T10:56:10Z

MindTooth
Feb 15, 2024

We should look into signing the container images using cosign: https://github.com/sigstore/cosign

I've now testing myself using https://github.com/sigstore/cosign-installer inside a pipeline and it seems to work okay. I just need to get the hang of it a bit more.

Is that something that I should look closer on how to implement for pwpush?

Example project: https://github.com/MindTooth/cosign-test/

Valid signature:

cosign verify ghcr.io/mindtooth/cosign-test:main --key cosign.pub | jq

Verification for ghcr.io/mindtooth/cosign-test:main --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key
[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/mindtooth/cosign-test"
      },
      "image": {
        "docker-manifest-digest": "sha256:b09807efe3855532c02d6906473adaae49b3f75d3e59b5f26fe356dde73fc5d2"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEUCIQCaHs4d5udEMg4CEQ4aOdliNGS1NraH38sOsL/JBsvSqAIgJT5Z5Mv6jsQDtEwa95B8UxaIurI514We2IGYyTPtppQ=",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJiNzgxNjcxM2ZlNjg4NmU3N2JmMmIyYTg3YTkzOWY4MWMwYjVjYjUxOGNiYTE4ZjNjNTNhMWE2YTVmOTA1OTAwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQTE5VUpoVjJUU2xIdzVIOXlMaEJGV0FwampJMEFLbW9mbzFGWDNzWjJIM0FpRUF2Q3dENG0zaGYwSjdKeG81ejhhcGlQQnBYZjhNeVRFYTNVNU0vNVpmWjNvPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGYW1oelpWaGFNMUIxVEhkcFEwRlJkekEwU2twQ01uWkliakU1TlFvNU9VWTBSVXM0YW1oamNVZ3ZUQ3N5U2tGWU1pdGhkSHBuWWtaM1IxRnRja3hOUlZwMllsVm9VM0J4ZGs1dFJrOTNjMEZ2VDBOcWNrcEJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=",
          "integratedTime": 1707991141,
          "logIndex": 71552679,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      }
    }
  }
]

pglombardo · 2024-02-20T21:05:06Z

pglombardo
Feb 20, 2024
Maintainer

That looks slick @MindTooth but let's hold on this for now - we haven't had any requests for it and I don't have the bandwidth to learn it lately. :-)

Still I like the idea of signed/official containers.

I'm happy that pwpush has been growing in popularity but I'm struggling a bit to keep up over the last month. Can we revisit this in a few months?

1 reply

MindTooth Feb 20, 2024
Author

Of course. We do it when you feel up for it. 😊 If I can help in anyway, please let me know.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign images using cosign #1891

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Sign images using cosign #1891

MindTooth Feb 15, 2024

Replies: 1 comment · 1 reply

pglombardo Feb 20, 2024 Maintainer

MindTooth Feb 20, 2024 Author

MindTooth
Feb 15, 2024

Replies: 1 comment 1 reply

pglombardo
Feb 20, 2024
Maintainer

MindTooth Feb 20, 2024
Author