Last active
October 28, 2021 05:25
-
-
Save imjasonh/dc60025ee7ce31143880230e9fc3d593 to your computer and use it in GitHub Desktop.
demo signing images multiple times with cosign
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generate a keypair | |
| $ cosign generate-key-pair | |
| Enter password for private key: | |
| Enter again: | |
| Private key written to cosign.key | |
| Public key written to cosign.pub | |
| # Use it to sign an image | |
| $ cosign sign -key=cosign.key gcr.io/imjasonh/ubuntu | |
| Enter password for private key: | |
| Pushing signature to: gcr.io/imjasonh/ubuntu:sha256-82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3.sig | |
| # Delete the old keys | |
| $ rm cosign.* | |
| # Generate new ones | |
| $ cosign generate-key-pair | |
| Enter password for private key: | |
| Enter again: | |
| Private key written to cosign.key | |
| Public key written to cosign.pub | |
| # Sign using new keys | |
| $ cosign sign -key=cosign.key gcr.io/imjasonh/ubuntu | |
| Enter password for private key: | |
| Pushing signature to: gcr.io/imjasonh/ubuntu:sha256-82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3.sig |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # List all signatures attached to the image | |
| $ crane manifest gcr.io/imjasonh/ubuntu:sha256-82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3.sig | jq | |
| { | |
| "schemaVersion": 2, | |
| "config": { | |
| "mediaType": "application/vnd.oci.image.config.v1+json", | |
| "size": 560, | |
| "digest": "sha256:1c4be9dbaf3cd7a1c2e76d787a969972f072eb8b4ebf0d2f1d751d924bade093" | |
| }, | |
| "layers": [ | |
| { | |
| "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json", | |
| "size": 238, | |
| "digest": "sha256:c3e90a8f16fa6e79a86feb2be16734653f20cf5656e217db6c624c420dd3c054", | |
| "annotations": { | |
| "dev.cosignproject.cosign/signature": "MEYCIQCQpV+Ml8lLcFwEB31gILOXEvm7lIlr5BlX10gu/b/y+wIhALlKegIP74OMMYilTP7/nSRJcXluN4joDRnWoQh/RmgW", | |
| "dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEQCIDRC8sDpF7vFnkLLp7v0/+3VLHNlGeYyL5UAkX01MHkBAiBWYgUEL5wzHDP5Io2sxt/XH5a/lVBf/l6wj3CojxKTlg==\",\"Body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJzcGVjIjp7ImRhdGEiOnsiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImMzZTkwYThmMTZmYTZlNzlhODZmZWIyYmUxNjczNDY1M2YyMGNmNTY1NmUyMTdkYjZjNjI0YzQyMGRkM2MwNTQifX0sInNpZ25hdHVyZSI6eyJjb250ZW50IjoiTUVZQ0lRQ1FwVitNbDhsTGNGd0VCMzFnSUxPWEV2bTdsSWxyNUJsWDEwZ3UvYi95K3dJaEFMbEtlZ0lQNzRPTU1ZaWxUUDcvblNSSmNYbHVONGpvRFJuV29RaC9SbWdXIiwiZm9ybWF0IjoieDUwOSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTnFla05EUVdoWFowRjNTVUpCWjBsVVdIaG9jbklyVGpKWVkwWjNUV3RuVGtkeFZFUjVTRUpITm1wQlMwSm5aM0ZvYTJwUFVGRlJSRUY2UVhFS1RWSlZkMFYzV1VSV1VWRkxSWGQ0ZW1GWFpIcGtSemw1V2xNMWExcFlXWGhGVkVGUVFtZE9Wa0pCVFZSRFNFNXdXak5PTUdJelNteE5RalJZUkZSSmVBcE5SR2Q0VFdwSmQwNUVXWGROVm05WVJGUkplRTFFWjNoTmFrbDRUVVJaZDAxR2IzZEJSRUphVFVKTlIwSjVjVWRUVFRRNVFXZEZSME5EY1VkVFRUUTVDa0YzUlVoQk1FbEJRa0p2ZDFSek5XVkRiMHAzTUdWNGRXcHNabG96Y1VkSFpuUXZSRmRRVFU1clFtd3hRMkpTVEhSSWEzbENVbWw0WW1OdlpqWXdZVWNLZFVSTGEwdElNMFZVUTA0eU1GcFpjRkZvTkZSV1pFbDZkakJVWlhZeU1tcG5aMFpEVFVsSlFsQnFRVTlDWjA1V1NGRTRRa0ZtT0VWQ1FVMURRalJCZHdwRmQxbEVWbEl3YkVKQmQzZERaMWxKUzNkWlFrSlJWVWhCZDAxM1JFRlpSRlpTTUZSQlVVZ3ZRa0ZKZDBGRVFXUkNaMDVXU0ZFMFJVWm5VVlZFVm5aSkNqazFXbFF4WW1JM2NTOHpOVUU0VWxjNFV6VmtUakpCZDBoM1dVUldVakJxUWtKbmQwWnZRVlY1VFZWa1FVVkhZVXBEYTNsVlUxUnlSR0UxU3pkVmIwY0tNQ3QzZDJkWk1FZERRM05IUVZGVlJrSjNSVUpDU1VkQlRVZzBkMlpCV1VsTGQxbENRbEZWU0UxQlMwZGpSMmd3WkVoQk5reDVPWGRqYld3eVdWaFNiQXBaTWtWMFdUSTVkV1JIVm5Wa1F6QXlUVVJPYlZwVVpHeE9lVEIzVFVSQmQweFVTWGxOYW1OMFdXMVpNMDVUTVcxT1Ixa3hXbFJuZDFwRVNUVk9WRkYxQ21NelVuWmpiVVp1V2xNMWJtSXlPVzVpUjFab1kwZHNla3h0VG5aaVV6bHFXVlJOTWxsVVJteFBWRmw1VGtSS2FVOVhXbXBaYWtVd1RtazVhbGxUTldvS1kyNVJkMDlSV1VSV1VqQlNRVkZJTDBKRE9IZE1XVVZ5V1RJNWVtRlhaSFZSUjNSMlltNVNhR0ZYTld0aU0xSjBXbE0xY0ZsWE1IVmFNMDVzWTI1YWNBcFpNbFpvV1RKT2RtUlhOVEJNYlU1MllsUkJTMEpuWjNGb2EycFBVRkZSUkVGM1RtOUJSRUpzUVdwRlFYWmFkelEzZVZJNFZEWlhSa2c1WVRRMWNXVjFDakJhU2s5a01GRnBZMHc1TDJ4RE9WbE1OakYzZHl0UVRVVlRkVkp1WjA5bmVYZDVMMkp1YlM5R1pFdFJRV3BDV2pSUFZuZG5SRUZMTjNBMFdWVXlXWGtLY2xoSVNXcHZNRkoxT0RCdlZXUnlPVGxtWkU1eWJISXhiMUpCTDJaa1pGVTJjbkJrT0hKNlVpdERUMEkzTDI4OUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX0sImtpbmQiOiJyZWtvcmQifQ==\",\"IntegratedTime\":1628801162,\"LogIndex\":34035,\"LogID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}", | |
| "dev.sigstore.cosign/certificate": "-----BEGIN CERTIFICATE-----\nMIICjzCCAhWgAwIBAgITXxhrr+N2XcFwMkgNGqTDyHBG6jAKBggqhkjOPQQDAzAq\nMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx\nMDgxMjIwNDYwMVoXDTIxMDgxMjIxMDYwMFowADBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABBowTs5eCoJw0exujlfZ3qGGft/DWPMNkBl1CbRLtHkyBRixbcof60aG\nuDKkKH3ETCN20ZYpQh4TVdIzv0Tev22jggFCMIIBPjAOBgNVHQ8BAf8EBAMCB4Aw\nEwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUDVvI\n95ZT1bb7q/35A8RW8S5dN2AwHwYDVR0jBBgwFoAUyMUdAEGaJCkyUSTrDa5K7UoG\n0+wwgY0GCCsGAQUFBwEBBIGAMH4wfAYIKwYBBQUHMAKGcGh0dHA6Ly9wcml2YXRl\nY2EtY29udGVudC02MDNmZTdlNy0wMDAwLTIyMjctYmY3NS1mNGY1ZTgwZDI5NTQu\nc3RvcmFnZS5nb29nbGVhcGlzLmNvbS9jYTM2YTFlOTYyNDJiOWZjYjE0Ni9jYS5j\ncnQwOQYDVR0RAQH/BC8wLYErY29zaWduQGtvbnRhaW5kb3RtZS5pYW0uZ3NlcnZp\nY2VhY2NvdW50LmNvbTAKBggqhkjOPQQDAwNoADBlAjEAvZw47yR8T6WFH9a45qeu\n0ZJOd0QicL9/lC9YL61ww+PMESuRngOgywy/bnm/FdKQAjBZ4OVwgDAK7p4YU2Yy\nrXHIjo0Ru80oUdr99fdNrlr1oRA/fddU6rpd8rzR+COB7/o=\n-----END CERTIFICATE-----\n", | |
| "dev.sigstore.cosign/chain": "\n-----BEGIN CERTIFICATE-----\nMIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAq\nMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx\nMDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUu\nZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSy\nA7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0Jcas\ntaRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6Nm\nMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\nFMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2u\nSu1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJx\nVe/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uup\nHr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ==\n-----END CERTIFICATE-----" | |
| } | |
| }, | |
| { | |
| "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json", | |
| "size": 238, | |
| "digest": "sha256:c3e90a8f16fa6e79a86feb2be16734653f20cf5656e217db6c624c420dd3c054", | |
| "annotations": { | |
| "dev.cosignproject.cosign/signature": "MEUCIQDuq5LLdPYR+DwzSywGdEA8yq8RCIxQ85/2ME+EnzeNMAIgJu/CkJdJKklfgWBDpGYq96/uizi9FDevO70MsYaIfoo=" | |
| } | |
| }, | |
| { | |
| "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json", | |
| "size": 238, | |
| "digest": "sha256:c3e90a8f16fa6e79a86feb2be16734653f20cf5656e217db6c624c420dd3c054", | |
| "annotations": { | |
| "dev.cosignproject.cosign/signature": "MEUCIQCEiptC/iZWShIy//spNOlJP3eJ44Wx5mzqdsLL1LhmiwIgeqKxtGsBR/Cn1vTgnHgh9zkcJVmodP61BZZzC8h4fdo=" | |
| } | |
| }, | |
| { | |
| "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json", | |
| "size": 238, | |
| "digest": "sha256:c3e90a8f16fa6e79a86feb2be16734653f20cf5656e217db6c624c420dd3c054", | |
| "annotations": { | |
| "dev.cosignproject.cosign/signature": "MEYCIQCK5LtwDewciMPFBK9Ao6pwyzLHq1PaP5z9uTLKuZ7FQwIhAN8933tdZ02yI4T2rB06Q6s5N5u4E4c/C1+9EBv4xXT2" | |
| } | |
| } | |
| ] | |
| # Pick a signature and inspect it (fetch the blob contents) | |
| $ crane blob gcr.io/imjasonh/ubuntu@sha256:c3e90a8f16fa6e79a86feb2be16734653f20cf5656e217db6c624c420dd3c054 | jq | |
| { | |
| "critical": { | |
| "identity": { | |
| "docker-reference": "gcr.io/imjasonh/ubuntu" | |
| }, | |
| "image": { | |
| "docker-manifest-digest": "sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3" | |
| }, | |
| "type": "cosign container image signature" | |
| }, | |
| "optional": null | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment