cosign:容器签名

  • j1_829480
    了解作者
  • 5.6MB
    文件大小
  • zip
    文件格式
  • 0
    收藏次数
  • VIP专享
    资源类型
  • 0
    下载次数
  • 2022-06-14 03:42
    上传日期
共同签署 OCI注册表中的容器签名,验证和存储。 安装 现在,克隆并go build -o cosign ./cmd 。 如果我愿意支持此版本,我会发布发行版本供其他人使用。 快速开始 这显示了如何: 生成密钥对 在容器映像上签名并将该签名存储在注册表中 查找容器图像的签名,并针对公共密钥进行验证 生成密钥对 $ cosign generate-key-pair Enter password for private key: Enter again: Private key written to cosign.key Public key written to cosign.key 对容器签名并将签名存储在注册表中 $ cosign sign -key cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun E
cosign-main.zip
  • cosign-main
  • .gitignore
    315B
  • README.md
    15.1KB
  • .github
  • workflows
  • tests.yaml
    552B
  • pkg
  • cosign
  • sign_test.go
    1.4KB
  • sign.go
    1.5KB
  • fetch.go
    2.6KB
  • verify.go
    1.7KB
  • remote.go
    2.5KB
  • keys.go
    882B
  • payload.go
    1008B
  • test
  • e2e_test.go
    3.7KB
  • LICENSE
    11.1KB
  • go.mod
    303B
  • EXAMPLES.md
    1.2KB
  • images
  • signatures.dot.svg
    7.7KB
  • intro.gif
    5.8MB
  • dot
  • signatures.dot
    1.3KB
  • go.sum
    52.8KB
  • cmd
  • main.go
    1.4KB
  • cli
  • sign.go
    3.5KB
  • verify.go
    3KB
  • verify_blob.go
    2KB
  • generate.go
    1.8KB
  • generate_key_pair.go
    2.3KB
  • upload.go
    2.4KB
  • sign_blob.go
    2KB
  • download.go
    1.5KB
内容介绍
# cosign Container Signing, Verification and Storage in an OCI registry. ![intro](images/intro.gif) ## Installation For now, clone and `go build -o cosign ./cmd`. I'll publish releases when I'm comfortable supporting this for others to use. ## Quick Start This shows how to: * generate a keypair * sign a container image and store that signature in the registry * find signatures for a container image, and verify them against a public key ### Generate a keypair ``` $ cosign generate-key-pair Enter password for private key: Enter again: Private key written to cosign.key Public key written to cosign.key ``` ### Sign a container and store the signature in the registry ``` $ cosign sign -key cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun Enter password for private key: Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8 ``` ### Verify a container against a public key This command returns 0 if *at least one* `cosign` formatted signature for the image is found matching the public key. See the detailed usage below for information and caveats on other signature formats. Any valid payloads are printed to stdout, in json format. Note that these signed payloads include the digest of the container image, which is how we can be sure these "detached" signatures cover the correct image. ``` $ cosign verify -key public-key.pem us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun {"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8"},"Type":""},"Optional":null} ``` ## Detailed Usage ### Sign a container multiple times Multiple signatures can be "attached" to a single container image: ``` $ cosign sign -key cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun Enter password for private key: Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8 $ cosign sign -key other-cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun Enter password for private key: Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8 ``` We only actually sign the digest, but you can pass by tag or digest: ``` $ cosign sign -key other-cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:v1 Enter password for private key: Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8 $ cosign sign -key other-cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:v1 Enter password for private key: Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8 ``` The `-a` flag can be used to add annotations to the generated, signed payload. This flag can be repeated: ``` $ cosign sign -key cosign.key -a foo=bar -a baz=bat us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:v1 Enter password for private key: Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8 ``` These values are included in the signed payload under the `Optional` section. (More on this later): ``` "Optional":{"baz":"bat","foo":"bar"} ``` ### Sign and upload a generated payload (in another format, from another tool) The payload must be specified as a path to a file: ``` $ cosign sign -key key.pem -payload payload.json us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun Qr883oPOj0dj82PZ0d9mQ2lrdM0lbyLSXUkjt6ejrxtHxwe7bU6Gr27Sysgk1jagf1htO/gvkkg71oJiwWryCQ== Using payload from: payload.json Enter password for private key: Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8 ``` ### Sign but skip upload (to store somewhere else) The base64 encoded signature is printed to stdout. This can be stored somewhere else. ``` $ cosign sign -key key.pem --upload=false us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun Qr883oPOj0dj82PZ0d9mQ2lrdM0lbyLSXUkjt6ejrxtHxwe7bU6Gr27Sysgk1jagf1htO/gvkkg71oJiwWryCQ== ``` ### Generate the signature payload (to sign with another tool) The json payload is printed to stdout: ``` $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun {"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8"},"Type":""},"Optional":null} ``` This can be piped directly into openssl: ``` $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun | openssl... ``` ### Upload a generated signature The signature is passed via the -signature flag. It can be a file: ``` $ cosign upload -signature file.sig us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8 ``` the base64-encoded signature: ``` $ cosign upload -signature Qr883oPOj0dj82PZ0d9mQ2lrdM0lbyLSXUkjt6ejrxtHxwe7bU6Gr27Sysgk1jagf1htO/gvkkg71oJiwWryCQ== us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def ``` or, `-` for stdin for chaining from other commands: ``` $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun | openssl... | cosign upload -signature -- us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def ``` ### Verifying claims **Important Note**: Signature payloads created by `cosign` included the digest of the container image they are attached to. By default, `cosign` validates that this digest matches the container during `cosign verify`. If you are using other payload formats with `cosign`, you can use the `-check-claims=false` flag: ``` $ cosign verify -check-claims=false -key public-key.pem us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun Warning: the following claims have not been verified: {"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8"},"Type":"cosign container signature"},"Optional":null} ``` This will still verify the signature and payload against the supplied public key, but will not verify any claims in the payload. ### Download the signatures to verify with another tool Each signature is printed to stdout in a json format: ``` $ cosign download us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun {"Base64Signature":"Ejy6ipGJjUzMDoQFePWixqPBYF0iSnIvpMWps3mlcYNSEcRRZelL7GzimKXaMjxfhy5bshNGvDT5QoUJ0tqUAg==","Payload":"eyJDcml0aWNhbCI6eyJJZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiIn0sIkltYWdlIjp7IkRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiI4N2VmNjBmNTU4YmFkNzliZWVhNjQyNWEzYjI4OTg5ZjAxZGQ0MTcxNjQxNTBhYjNiYWFiOThkY2JmMDRkZWY4In0sIlR5cGUiOiIifSwiT3B0aW9uYWwiOm51bGx9"} ``` ## Signature Specification `cosign` is inspired by tools like [minisign](https://jedisct1.github.io/minisign/) and [signify](https://www.openbsd.org/papers/bsdcan-signify.html). Generated private keys are stored in PEM format. The keys encrypted under a password using scrypt as a KDF and nacl/secretbox for encryption. They have a PEM header of `ENCRYPTED COSIGN PRIVATE KEY`: ``` -----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- ... -----END ENCRYPTED COSIGN PRIVATE KEY----- ``` Public keys are stored on disk in PEM format with a header
评论
    相关推荐