Container Signing Tool: Cosign

Cosign is tool developed by sigstore working group which takes care of container signing and verification.

Let’s first generate a key-pair:

❯ cosign generate-key-pair
Enter password for private key:
Enter password for private key again:
Private key written to cosign.key
Public key written to cosign.pub

Now using the private key, we will sign a docker image.

❯ cosign sign -key cosign.key pradeepchhetri/alpine
Enter password for private key: 
Pushing signature to: index.docker.io/pradeepchhetri/alpine:sha256-99c34e16be851a23d9eac4d0475f258723be34d71fda375dce3722a9b4a3e992.sig

You can see it pushes the signature to registry as well.

Now on each machine where we are going to run this image, we can first verify that noone has tampered with the image.

❯ cosign verify -key cosign.pub pradeepchhetri/alpine

Verification for index.docker.io/pradeepchhetri/alpine:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"index.docker.io/pradeepchhetri/alpine"},"image":{"docker-manifest-digest":"sha256:99c34e16be851a23d9eac4d0475f258723be34d71fda375dce3722a9b4a3e992"},"type":"cosign container image signature"},"optional":null}]

❯ echo $status
0

Return code of 0 signifies that at least one cosign formatted signature for the image is found matching the public key.