Security/Container/Cosign: Difference between revisions
Jump to navigation
Jump to search
| Line 20: | Line 20: | ||
==Cosign » Sign & Push== | ==Cosign » Sign & Push== | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cat << | echo -n 'Password: ';read -s COSIGN_PASSWORD;export COSIGN_PASSWORD;echo | ||
# Password: sadaqah! | |||
cat << EXE | bash | |||
DOCKER_IMAGE_TAG='1.27' | DOCKER_IMAGE_TAG='1.27' | ||
DOCKER_IMAGE_NAME='nginx' | DOCKER_IMAGE_NAME='nginx' | ||
| Line 28: | Line 31: | ||
# docker » image » sign & push | # docker » image » sign & push | ||
cosign sign -y --key cosign.key ${DOCKER_IMAGE_PATH} | cosign sign -y --key ${HOME}/.config/cosign/cosign.key ${DOCKER_IMAGE_PATH} | ||
# docker » image » sign » extract & push | # docker » image » sign » extract & push | ||
DOCKER_IMAGE_HASH="$(docker inspect ${DOCKER_IMAGE_PATH}|jq -r ${DOCKER_QUERY_PATH})" | DOCKER_IMAGE_HASH="$(docker inspect ${DOCKER_IMAGE_PATH}|jq -r ${DOCKER_QUERY_PATH})" | ||
cosign sign -y --key cosign.key ${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_HASH} | cosign sign -y --key ${HOME}/.config/cosign/cosign.key ${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_HASH} | ||
EXE | EXE | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 15:40, 26 June 2025
cat <<'EXE'| sudo bash
wget -cq https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64 -P ${HOME}/Downloads
mv ${HOME}/Downloads/cosign-linux-amd64 /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
cosign version
cosign --help
EXE
Cosign » Generate » Keys
cosign generate-key-pair
mkdir -p ${HOME}/.config/cosign
rsync -avz ./cosign.{key,pub} ${HOME}/.config/cosign/
rm -rf ./cosign.{key,pub}
ls -lah ${HOME}/.config/cosign/
Cosign » Sign & Push
echo -n 'Password: ';read -s COSIGN_PASSWORD;export COSIGN_PASSWORD;echo
# Password: sadaqah!
cat << EXE | bash
DOCKER_IMAGE_TAG='1.27'
DOCKER_IMAGE_NAME='nginx'
DOCKER_QUERY_PATH='.[0].RepoDigests[0]'
DOCKER_IMAGE_REPO='harbor.chorke.org/academia'
DOCKER_IMAGE_PATH="${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}"
# docker » image » sign & push
cosign sign -y --key ${HOME}/.config/cosign/cosign.key ${DOCKER_IMAGE_PATH}
# docker » image » sign » extract & push
DOCKER_IMAGE_HASH="$(docker inspect ${DOCKER_IMAGE_PATH}|jq -r ${DOCKER_QUERY_PATH})"
cosign sign -y --key ${HOME}/.config/cosign/cosign.key ${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_HASH}
EXE
Playground
cosign generate-key-pair
cosign version
cosign --help
|
cosign sign -y harbor.chorke.org/academia/nginx:1.27-alpine-slim
cosign sign -y harbor.chorke.org/academia/nginx:alpine
cosign sign -y harbor.chorke.org/academia/nginx:1.27
| |
|
| ||
cosign sign -y --key cosign.key harbor.chorke.org/academia/nginx:1.27-alpine-slim
cosign sign -y --key cosign.key harbor.chorke.org/academia/nginx:alpine
cosign sign -y --key cosign.key harbor.chorke.org/academia/nginx:1.27
| ||
|
| ||
docker inspect harbor.chorke.org/academia/nginx:1.27-alpine-slim|jq -r '.[0].RepoDigests[0]'
docker inspect harbor.chorke.org/academia/nginx:1.27-alpine-slim|jq -r '.[0].RepoDigests[ ]'
| ||
|
| ||
References
|
|
||
|
| ||
|
| ||