Skip to main content

Signing images

You can sign images and verify signatures with cosign.

To install cosign on a Mac or Linux system:

brew install cosign

Example#

Since cosign uses docker under the hood, you have to sign in to the opcr.io registry using docker. Use your GitHub personal access token (PAT) as your password.

$ docker login -u <GitHub-account> opcr.ioPassword:Login Succeeded

Initialize cosign#

Initialize cosign and create a key pair:

$ cosign init$ cosign generate-key-paircosign generate-key-pairEnter password for private key: Enter again:Private key written to cosign.keyPublic key written to cosign.pub

Signing an image#

note

You can only sign images that have been pushed to an OCI-compliant registry. If you haven't yet, issue a policy push on your policy image before signing it.

Sign the container image using the private key:

$ cosign sign -key cosign.key registry.prod.aserto.com/omrigazitt1/peoplefinder:1.0.0Enter password for private key: Pushing signature to: registry.prod.aserto.com/omrigazitt1/peoplefinder:sha256-05e6ed84d86f6a252e24f33cb12138d9193780f1d89a1b2ff14ced315fdf8481.sig

Verifying the signature#

Verify the signature using the public key:

$ cosign verify -key cosign.pub registry.prod.aserto.com/omrigazitt1/peoplefinder:1.0.0
Verification for registry.prod.aserto.com/omrigazitt1/peoplefinder:1.0.0 --The following checks were performed on each of these signatures:  - The cosign claims were validated  - The signatures were verified against the specified public key  - Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":"registry.prod.aserto.com/omrigazitt1/peoplefinder"},"image":{"docker-manifest-digest":"sha256:05e6ed84d86f6a252e24f33cb12138d9193780f1d89a1b2ff14ced315fdf8481"},"type":"cosign container image signature"},"optional":null}]