Cosign用来为容器签名(Signing)、验证(Verification)和在 OCI Registry 存储
介绍
Cosign的目的是使签名成为无形的基础设施。
安装
go install github.com/sigstore/cosign/cmd/cosign@latest
wget "https://github.com/sigstore/cosign/releases/download/v1.6.0/cosign-linux-amd64"
mv cosign-linux-amd64 /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
Redhat/CentOS
# rpm
wget "https://github.com/sigstore/cosign/releases/download/v1.6.0/cosign-1.6.0.x86_64.rpm"
rpm -ivh cosign-1.6.0.x86_64.rpm
Ubuntu
# dkpg
wget "https://github.com/sigstore/cosign/releases/download/v1.6.0/cosign_1.6.0_amd64.deb"
dpkg -i cosign_1.6.0_amd64.deb
Mac
brew install cosign
Help
$ cosign --help
A tool for Container Signing, Verification and Storage in an OCI registry.
Usage:
cosign [command]
Available Commands:
attach Provides utilities for attaching artifacts to other artifacts in a registry
attest Attest the supplied container image.
clean Remove all signatures from an image.
completion Generate completion script
copy Copy the supplied container image and signatures.
dockerfile Provides utilities for discovering images in and performing operations on Dockerfiles
download Provides utilities for downloading artifacts and attached artifacts in a registry
env Prints Cosign environment variables
generate Generates (unsigned) signature payloads from the supplied container image.
generate-key-pair Generates a key-pair.
help Help about any command
import-key-pair Imports a PEM-encoded RSA or EC private key.
initialize Initializes SigStore root to retrieve trusted certificate and key targets for verification.
load Load a signed image on disk to a remote registry
login Log in to a registry
manifest Provides utilities for discovering images in and performing operations on Kubernetes manifests
policy subcommand to manage a keyless policy.
public-key Gets a public key from the key-pair.
save Save the container image and associated signatures to disk at the specified directory.
sign Sign the supplied container image.
sign-blob Sign the supplied blob, outputting the base64-encoded signature to stdout.
tree Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations
triangulate Outputs the located cosign image reference. This is the location cosign stores the specified artifact type.
upload Provides utilities for uploading artifacts to a registry
verify Verify a signature on the supplied container image
verify-attestation Verify an attestation on the supplied container image
verify-blob Verify a signature on the supplied blob
version Prints the version
Flags:
-h, --help help for cosign
--output-file string log output to a file
-t, --timeout duration timeout for commands (default 3m0s)
-d, --verbose log debug output
Additional help topics:
cosign piv-tool This cosign was not built with piv-tool support!
cosign pkcs11-tool This cosign was not built with pkcs11-tool support!
Use "cosign [command] --help" for more information about a command.
使用
Generate a keypair
$ cosign generate-key-pair
Enter password for private key:
Enter password for private key again:
Private key written to cosign.key
Public key written to cosign.pub
Sign a container and store the signature in the registry
$ cosign sign --key cosign.key xiexianbin/nettools:1
Enter password for private key:
Pushing signature to: index.docker.io/xiexianbin/nettools
Verify a container against a public key
$ cosign verify --key cosign.pub index.docker.io/xiexianbin/nettools:1 | jq .
Verification for index.docker.io/xiexianbin/nettools:1 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[
{
"critical": {
"identity": {
"docker-reference": "index.docker.io/xiexianbin/nettools"
},
"image": {
"docker-manifest-digest": "sha256:aac519b2ee85b092f729185c267357f97f298783ce2f698a383607fab4155cbf"
},
"type": "cosign container image signature"
},
"optional": null
}
]
其他
- 也可以支持其他 Artifacts 的签名
cosign sign-blob
- cosign 支持和 KMS 以前签署和验证,如 Hashicorp Vault