Dummy repo to test signing container images using sigstore.
The Github action defined in oci.yml builds a container image with the dummy Go application, pushes it to harbor.nbfc.io and signs it using cosign. The signing process is performed in keyless mode utilizing the OIDC token provided by the Github workflow run. Some optional annotations are passed to provide supplementary details for the container image.
For basic verification:
cosign verify harbor.nbfc.io/nubificus/cosigntest:nbfc-0966adc \
--certificate-github-workflow-repository nubificus/cosigntest \
--certificate-identity "https://github.com/nubificus/cosigntest/.github/workflows/oci.yml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" For verification with additional details provided by GitHub:
cosign verify harbor.nbfc.io/nubificus/cosigntest:nbfc-0966adc \
--certificate-github-workflow-repository nubificus/cosigntest \
--certificate-identity "https://github.com/nubificus/cosigntest/.github/workflows/oci.yml@refs/heads/main" \
--certificate-github-workflow-name "OCI image push" \
--certificate-github-workflow-ref refs/heads/main \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"For verification with our custom annotations:
cosign verify harbor.nbfc.io/nubificus/cosigntest:nbfc-0966adc \
--certificate-github-workflow-repository nubificus/cosigntest \
--certificate-identity "https://github.com/nubificus/cosigntest/.github/workflows/oci.yml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" /
-a 'author=Nubificus LTD'For verification using wildcards:
cosign verify harbor.nbfc.io/nubificus/cosigntest:nbfc-0966adc \
--certificate-identity-regexp="^https:\/\/github\.com\/nubificus\/" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-a 'author=Nubificus LTD'For verification in Kubernetes clusters we could use a policy controller.
Then we can create a new policy:
apiVersion: v1
kind: Namespace
metadata:
labels:
policy.sigstore.dev/include: "true"
kubernetes.io/metadata.name: test-policy
name: test-policy
spec:
finalizers:
- kubernetesAnd add your cluster image policy:
apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
name: nbfc-policy
spec:
authorities:
- keyless:
identities:
- issuer: https://token.actions.githubusercontent.com
subjectRegExp: https://github.com/nubificus/.*/.github/workflows/*@*
url: https://fulcio.sigstore.dev
name: authority-0
images:
- glob: '**'
mode: enforce{"apiVersion":"policy.sigstore.dev/v1beta1","kind":"ClusterImagePolicy","metadata":{"annotations":{},"name":"nbfc-policy"},"spec":{"authorities":[{"keyless":{"identities":[{"issuer":"https://token.│·····
actions.githubusercontent.com","subjectRegExp":"https://github.com/nubificus/.*/.github/workflows/*@*"}]}}],"images":[{"glob":"**"}]}}