Cosign signature and verification
- Cosign Signature Verification
- Deterministic container hashes and container signing using Cosign, Kaniko and Google Cloud Build
salrashid123
salrashid123
/ workload_federation_svc_account.go
Last active
October 14, 2023 14:16
Access GCP and workspace APIs using GCP Workload Identity Federation usign Service Account Impersonation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "log" | |
| "context" | |
| "cloud.google.com/go/storage" |
salrashid123
/ workload_federation_dwd.go
Last active
October 13, 2023 16:49
Access GCP and workspace APIs using GCP Workload Identity Federation usign Domain Delegation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "log" | |
| "context" | |
| "cloud.google.com/go/storage" |
salrashid123
/ cosign_annotations.md
Last active
March 7, 2024 12:58
Cosign sign and verify with annotations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| see | |
| https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth | |
| for TPM https://github.com/salrashid123/oauth2#usage-tpmtokensource | |
| */ | |
| package main | |
| import ( |
salrashid123
/ sa_import.md
Last active
April 1, 2024 15:02
Importing ServiceAccount Credentials to TPMs
sample procdure to encrypt a service account rsa key GCP such that it is loadable on specific TPMs
this procedure will save the key reference to non-volatile memory which will persist through powercycles.
however, there are limited nv slots avaiable (7 per tpm i think).
long term is to allow is to allow full persitence via go-tpm-tools Allow persistence client.Key() and move away from nvram slots
also see
salrashid123
/ gcp-tpm.md
Last active
August 29, 2023 00:40
Trusted Platform Module (TPM) based GCP Service Account Key
snippet demonstrating how to create an RSA key on a TPM, then assocaite that with a GCP service account.
Finally, use that embedded service account key to access GCP resources
salrashid123
/ cog_bazel.md
Last active
August 18, 2023 11:43
Deterministic builds with cog and bazel (ttps://github.com/replicate/cog/issues/1250)
using bazel to build deterministic cog image
the following will build an image hash of
sha256:3db6542dc746aeabaa39d902570430e1d50c416e7fc20b875c10578aa5e62875
(more or less unless copy+paste from gist may add newline, whitespace to the .py files, sources..;
salrashid123
/ parseIssuer.go
Last active
August 13, 2023 13:49
Parse certificate.Issuer from raw DER bytes in golang
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Marshall Certificate.Issuer struct from raw DER Bytes | |
| code uses parser from https://go.dev/src/crypto/x509/parser.go | |
| https://lapo.it/asn1js/#MIIELTCCAxWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMSIwIAYDVQQDDBlFbnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMB4XDTIzMDQwNzE0MDQwN1oXDTI1MDQwNjE0MDQwN1owRTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkdvb2dsZTETMBEGA1UECwwKRW50ZXJwcmlzZTEQMA4GA1UEAwwHbWNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGzSU8QxpblEH9igyDzn24R1M3dNU9inBjxPmGFrbzI1HN2oGxVdYSDmTmRwPmuLVxvX3HiFSGuhG3GvjrMskydY6dqvcZmOB8IMcCuw74kXIOevGyBVr8EJN-Z8tLXvZHyZgDe-1bDRkw4IsmhJrgnrWWAoWucyTSKYq8U5ZQt_1f3_nMAtkmt2kI3mrF1E_ibasa_aWngsyjtAVC-y1p2hDznHU8rDLxdgNKIo3X85eDFAOi-wDPMxrO3_vtNP2i1OrKv-GLj_0d1HzGV_4R5sMzNCOVXJ7H7TbbxFceC6ajMwEddZdASB7E4Mc43T4yuQy0_opravLkQQFacuZcCAwEAAaOCARQwggEQMA4GA1UdDwEB_wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBRNAL-pKqCVY-RHtsRYG80GoULfLDAfBgNVHSMEGDAWgBSTvRe8TcBkyWIHOosz4S12KzT3wzBEBggrBgEFBQcBAQQ4MDYwNAYI |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Create GCP Confidential Space VM using Terraform | |
| export PROJECT_ID=`gcloud config get-value core/project` | |
| export PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'` | |
| gcloud compute instances create vm1 --project=vegas-codelab-5 --confidential-compute \ | |
| --shielded-secure-boot --tags=tee-vm --maintenance-policy=TERMINATE --service-account="$PROJECT_NUMBER-compute@developer.gserviceaccount.com" --scopes=cloud-platform --zone=us-central1-a --image-project=confidential-space-images --image-family=confidential-space-debug \ | |
| --metadata ^~^tee-image-reference=gcr.io/cloud-marketplace/google/nginx1:latest~tee-restart-policy=Never~tee-container-log-redirect=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "context" | |
| "fmt" | |
| "log" | |
| "syscall" | |
| "time" | |
| // "github.com/containerd/cgroups/v3" |