Signing images
You can sign images and verify signatures with cosign
.
To install cosign
on a Mac or Linux system:
brew install cosign
#
ExampleSince cosign
uses docker
under the hood, you have to sign in to the opcr.io registry using docker
. Use your GitHub personal access token (PAT) as your password.
$ docker login -u <GitHub-account> opcr.ioPassword:Login Succeeded
#
Initialize cosignInitialize cosign
and create a key pair:
$ cosign init$ cosign generate-key-paircosign generate-key-pairEnter password for private key: Enter again:Private key written to cosign.keyPublic key written to cosign.pub
#
Signing an imagenote
You can only sign images that have been pushed to an OCI-compliant registry.
If you haven't yet, issue a policy push
on your policy image before signing it.
Sign the container image using the private key:
$ cosign sign -key cosign.key registry.prod.aserto.com/omrigazitt1/peoplefinder:1.0.0Enter password for private key: Pushing signature to: registry.prod.aserto.com/omrigazitt1/peoplefinder:sha256-05e6ed84d86f6a252e24f33cb12138d9193780f1d89a1b2ff14ced315fdf8481.sig
#
Verifying the signatureVerify the signature using the public key:
$ cosign verify -key cosign.pub registry.prod.aserto.com/omrigazitt1/peoplefinder:1.0.0
Verification for registry.prod.aserto.com/omrigazitt1/peoplefinder:1.0.0 --The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key - Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":"registry.prod.aserto.com/omrigazitt1/peoplefinder"},"image":{"docker-manifest-digest":"sha256:05e6ed84d86f6a252e24f33cb12138d9193780f1d89a1b2ff14ced315fdf8481"},"type":"cosign container image signature"},"optional":null}]