Security/Container/Cosign

From Chorke Wiki
Jump to navigation Jump to search 
cat <<'EXE'| sudo bash
wget -cq https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64 -P ${HOME}/Downloads
mv ${HOME}/Downloads/cosign-linux-amd64 /usr/local/bin/cosign
                               chmod +x /usr/local/bin/cosign
cosign version
cosign --help
EXE

Cosign » Generate » Keys

cosign generate-key-pair
             mkdir -p ${HOME}/.config/cosign/
rsync -avz ./cosign.* ${HOME}/.config/cosign/
             ls -lah  ${HOME}/.config/cosign/

Cosign » Sign & Push

cat <<'EXE'| bash
DOCKER_IMAGE_TAG='1.27'
DOCKER_IMAGE_NAME='nginx'
DOCKER_QUERY_PATH='.[0].RepoDigests[0]'
DOCKER_IMAGE_REPO='harbor.chorke.org/academia'
DOCKER_IMAGE_PATH="${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}"

# docker » image » sign & push
cosign sign -y --key cosign.key ${DOCKER_IMAGE_PATH}

# docker » image » sign » extract & push
DOCKER_IMAGE_HASH="$(docker inspect ${DOCKER_IMAGE_PATH}|jq -r ${DOCKER_QUERY_PATH})"
cosign sign -y --key cosign.key ${DOCKER_IMAGE_REPO}/${DOCKER_IMAGE_HASH}
EXE

Playground

cosign generate-key-pair
cosign version
cosign --help

cosign sign -y harbor.chorke.org/academia/nginx:1.27-alpine-slim
cosign sign -y harbor.chorke.org/academia/nginx:alpine
cosign sign -y harbor.chorke.org/academia/nginx:1.27

cosign sign -y --key cosign.key harbor.chorke.org/academia/nginx:1.27-alpine-slim
cosign sign -y --key cosign.key harbor.chorke.org/academia/nginx:alpine
cosign sign -y --key cosign.key harbor.chorke.org/academia/nginx:1.27

docker inspect harbor.chorke.org/academia/nginx:1.27-alpine-slim|jq -r '.[0].RepoDigests[0]'
docker inspect harbor.chorke.org/academia/nginx:1.27-alpine-slim|jq -r '.[0].RepoDigests[ ]'

References
Retrieved from "https://wiki.chorke.org/index.php?title=Security/Container/Cosign&oldid=15107"