In this lab we will sign and verify containers using sigstore/cosign locally. The goal is to get familiar with the tooling and the process of signing and verifying containers.
We will push the images to ttl.sh, an ephemeral registry that is great for testing. The image tag determines how long the image will live, i.e. "2h" = 2 hours.
Cosign is a tool for signing and verifying container images. It is developed by the sigstore project.
When you sign an image cosign will upload the signature to the OCI registry alongside the image.
Make a random name for your container:
export CONTAINER_NAME="ttl.sh/salsa-workshop-$(dd if=/dev/urandom bs=1 count=10 status=none | base64 | tr -dc 'a-z')"
echo "Your chosen container name is $CONTAINER_NAME"In the root of this repository we have created an example application with a simple Dockerfile, run the following command:
docker build -t $CONTAINER_NAME:2h .
docker push $CONTAINER_NAME:2hNote Write down the image digest outputted from
docker push, you will need it in subsequent steps
Generate a key pair for local signing:
cosign generate-key-pairSign the container using the generated key pair:
cosign sign --key cosign.key $CONTAINER_NAME@sha256:<digest>Verify the container using the public key:
cosign verify --key cosign.pub $CONTAINER_NAME@sha256:<digest>In this lab we have signed and verified a container locally using cosign. In the next lab we will sign and verify the container by keyless signing using sigstore and GitHub Actions.
Proceed to Lab 2 >