Security/Container/Cosign: Difference between revisions

Latest revision as of 00:24, 27 June 2025

cat <<'EXE'| sudo bash
wget -cq https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64 -P ${HOME}/Downloads
mv ${HOME}/Downloads/cosign-linux-amd64 /usr/local/bin/cosign
                               chmod +x /usr/local/bin/cosign
cosign version
cosign --help
EXE

Cosign » Generate » Keys

echo -n 'Password: ';read -s COSIGN_PASSWORD;export COSIGN_PASSWORD;echo
# Password: sadaqah!

cosign generate-key-pair
mkdir -p ${HOME}/.config/cosign
rsync -avz ./cosign.{key,pub} ${HOME}/.config/cosign/
    rm -rf ./cosign.{key,pub}
ls -lah  ${HOME}/.config/cosign/

Cosign » Sign & Push

echo -n 'Password: ';read -s COSIGN_PASSWORD;export COSIGN_PASSWORD;echo
# Password: sadaqah!

cat << EXE | bash
DOCKER_IMAGE_TAG='1.27'
DOCKER_IMAGE_NAME='nginx'
DOCKER_QUERY_PATH='.[0].RepoDigests[0]'
DOCKER_IMAGE_REPO='harbor.chorke.org/academia'
DOCKER_IMAGE_PATH="${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}"

docker push ${DOCKER_IMAGE_PATH} 2>&1 | tail -n 1
# docker » image » extract digest » sign by digest » push signature
DOCKER_IMAGE_HASH="$(docker inspect ${DOCKER_IMAGE_PATH}|jq -r ${DOCKER_QUERY_PATH})"
cosign sign -a 'signed-by=info@chorke.org' -y --key ${HOME}/.config/cosign/cosign.key ${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_HASH} 2>&1 | tail -n 1
EXE

Playground

cosign generate-key-pair cosign version cosign --help	cosign sign -y harbor.chorke.org/academia/nginx:1.27-alpine-slim cosign sign -y harbor.chorke.org/academia/nginx:alpine cosign sign -y harbor.chorke.org/academia/nginx:1.27

cosign sign -y --key cosign.key harbor.chorke.org/academia/nginx:1.27-alpine-slim cosign sign -y --key cosign.key harbor.chorke.org/academia/nginx:alpine cosign sign -y --key cosign.key harbor.chorke.org/academia/nginx:1.27

docker inspect harbor.chorke.org/academia/nginx:1.27-alpine-slim\|jq -r '.[0].RepoDigests[0]' docker inspect harbor.chorke.org/academia/nginx:1.27-alpine-slim\|jq -r '.[0].RepoDigests[ ]'

References

Security » Container » Signing » Sigstore » Rekor Security » Container » Signing » Cosign » Install Security » Container » Signing » Sigstore Security » Container » Signing » Cosign Security » Container » Signing

Security » HTTP » Basic Authentication Security » OpenLDAP » BackSQL Security » Certificate » TLS Security » Certificate Security » Password Security » ZA Proxy Security » Domain Security » Spring Security » HTTP Security » Java	Security » SSH » Public Key Authentication Security » Container » Trivy Security » Container » Snyk

Kubernetes Multipass Minikube Podman Vagrant Docker Qemu Helm K9s K8s	LXC » Alpine » Apache » PHP LXC » Alpine » Nginx » PHP LXC » Logrotate » Redhat Terraform Proxmox Kubectl Ansible CIDR UFW LXC	PostgreSQL » PgBouncer PostgreSQL » PgLoader Docker/Compose/SFTP PostgreSQL Git

@@ Line 36: / Line 36: @@
 # docker » image » extract digest » sign by digest » push signature
 DOCKER_IMAGE_HASH="$(docker inspect ${DOCKER_IMAGE_PATH}|jq -r ${DOCKER_QUERY_PATH})"
-cosign sign -y -a 'signed-by=info@chorke.org' --key ${HOME}/.config/cosign/cosign.key ${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_HASH} 2>&1 | tail -n 1
+cosign sign -a 'signed-by=info@chorke.org' -y --key ${HOME}/.config/cosign/cosign.key ${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_HASH} 2>&1 | tail -n 1
 EXE
 </syntaxhighlight>
@@ Line 82: / Line 82: @@
 |-
 |valign='top'|
-<syntaxhighlight lang="yaml">
+<syntaxhighlight lang="bash">
 </syntaxhighlight>
 |valign='top'|
-<syntaxhighlight lang="yaml">
+<syntaxhighlight lang="bash">
 </syntaxhighlight>

Security/Container/Cosign: Difference between revisions

Latest revision as of 00:24, 27 June 2025

Contents

Cosign » Generate » Keys

Cosign » Sign & Push

Playground

References

Navigation menu

Security/Container/Cosign: Difference between revisions

Latest revision as of 00:24, 27 June 2025

Cosign » Generate » Keys

Cosign » Sign & Push

Playground

References

Navigation menu

Search