Experimental Keyless Cosign verify-blob command to verify the signature that is exported by the skopeo tool to the directory
Let's assume that we have an image called devopps/busybox:glibc, we gain this image by copying the real busybox:glibc image from DockerHub by issuing the following command:
$ crane copy busybox:glibc devopps/busybox:glibccrane is a tool for interacting with remote images and registries. https://github.com/google/go-containerregistry/tree/main/cmd/crane
The next thing signing the image by using cosign tool. Cosign is a tool that can help you with Container Signing, Verification and Storage in an OCI registry.
You can follow along this page to install cosign.
There is two mode in cosign to sign and verify container images, one is using public/private key pairs and the other one is Keyless which we can use it today.
You can learn more about the Keyless mode from the official documentation.
Sign container image with Keyless mode enabled:
$ COSIGN_EXPERIMENTAL=1 cosign sign devopps/busybox:glibc
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=w9chxi8NtAoXM7vI8F56z0wSHPvf4Oucf9LhKkmXwIE&code_challenge_method=S256&nonce=21MPXge40lkBvIXMgpxZbIofhVk&redirect_uri=http%3A%2F%2Flocalhost%3A5556%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=21MPXd5u8v2ZocCHTGospn9DgAf
Successfully verified SCT...
tlog entry created with index: 884153There are bunch of things happened due to above command. I'm not going to explain all of them, but one of the important aspects that we have to know is that cosign is stored the signature on both Transprancy log server (Rekor) and OCI registry.
Let's list the tags of an image and see the special tag that stores the signature:
$ crane ls devopps/busybox
glibc
sha256-430db6287c64d73b7dfb19ac86c242f6ddf80fcac6143cecb82b3669893495fd.sigAs you can see from the output above, we now have a special tag called sha256-430db6287c64d73b7dfb19ac86c242f6ddf80fcac6143cecb82b3669893495fd.sig.
There are bunch of other ways to do signature verification but today we'll be focusing on doing this by leverating some of the tooling.
Let's summarize the steps that we're going to take:
- Extract the image to the directory by leveraging skopeo tool
- Find the correct layer that stores the payload
- Find the signature and certificate
- Do the verification by using the informations extracted from the manifest
$ mkdir -p cosign-skopeo-demo
$ cd cosign-skopeo-demo
$ skopeo copy docker://devopps/busybox:sha256-430db6287c64d73b7dfb19ac86c242f6ddf80fcac6143cecb82b3669893495fd.sig dir:busybox
Getting image source signatures
Copying blob 2dda13dec3cd done
Copying config f53caf7fdf done
Writing manifest to image destination
Storing signatures
$ exa -lahsmodified busybox
Permissions Size User Date Modified Name
.rw-r--r-- 33 batuhan.apaydin 24 Nov 13:10 version
.rw-r--r-- 247 batuhan.apaydin 24 Nov 13:11 2dda13dec3cd0de06c60abd858df3224b8377eea99ccc2c616574098d93ade19
.rw-r--r-- 233 batuhan.apaydin 24 Nov 13:11 f53caf7fdfb422811a9f38bf83425f4d1bd5d65ddfcbe487a10607194049464c
.rw-r--r-- 4.8k batuhan.apaydin 24 Nov 13:11 manifest.json
$ SIGNATURE_LAYER=$(bat busybox/manifest.json | jq -r '.layers[0].digest' | awk -F':' '{print $2}')
$ bat busybox/$SIGNATURE_LAYER > payload
$ bat busybox/manifest.json | jq -r '.layers[].annotations["dev.sigstore.cosign/certificate"]' > cert # do not forget to remove the last empty line in cert
$ bat busybox/manifest.json | jq -r '.layers[].annotations["dev.cosignproject.cosign/signature"]' > sig
$ cosign verify-blob --cert cert --signature sig payload
No TUF root installed, using embedded CA certificate.
Certificate is trusted by Fulcio Root CA
Email: [developerguyn@gmail.com]
Verified OK