Created
December 20, 2022 00:32
-
-
Save znewman01/10d8673cada607d49af194631dc1c6ec to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env nix-shell | |
#!nix-shell -i bash -p step-cli cosign crane | |
set -eu | |
REPO=ttl.sh/$(whoami)-test | |
IMAGE=$REPO:15m | |
COSIGN=cosign | |
function image_setup { | |
DIGEST=$(crane digest $IMAGE 2> /dev/null || true) | |
if [ -z "$DIGEST" ]; then | |
crane cp cgr.dev/chainguard/musl-dynamic:latest $IMAGE 2> /dev/null | |
DIGEST=$(crane digest $IMAGE) | |
fi | |
IMAGE_DIGEST="$REPO@$DIGEST" | |
} | |
function make_a_pki { | |
# Can't use defaults (`--profile root-ca` etc.) because we need "extKeyUsage" | |
cat > root.tpl <<-EOF | |
{ | |
"subject": {{ toJson .Subject }}, | |
"issuer": {{ toJson .Subject }}, | |
"keyUsage": ["certSign", "crlSign"], | |
"extKeyUsage": ["codeSigning"], | |
"basicConstraints": { | |
"isCA": true, | |
"maxPathLen": 1 | |
} | |
} | |
EOF | |
step certificate create root-ca root-ca.crt root-ca.key --template root.tpl --no-password --insecure | |
cat > intermediate.tpl <<-EOF | |
{ | |
"subject": {{ toJson .Subject }}, | |
"keyUsage": ["certSign", "crlSign"], | |
"extKeyUsage": ["codeSigning"], | |
"basicConstraints": { | |
"isCA": true, | |
"maxPathLen": 0 | |
} | |
} | |
EOF | |
step certificate create intermediate-ca intermediate-ca.crt intermediate-ca.key \ | |
--template intermediate.tpl --ca ./root-ca.crt --ca-key ./root-ca.key \ | |
--no-password --insecure | |
cat > leaf.tpl <<-EOF | |
{ | |
"subject": {{ toJson .Subject }}, | |
"sans": [{"type": "email", "value": "user@example.com"}], | |
"keyUsage": ["digitalSignature"], | |
"extKeyUsage": ["codeSigning"] | |
} | |
EOF | |
step certificate create leaf leaf.crt leaf.key --template leaf.tpl \ | |
--ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key \ | |
--no-password --insecure | |
} | |
function main { | |
WORKING_DIR=$(mktemp -d) | |
cd $WORKING_DIR | |
image_setup | |
make_a_pki | |
export COSIGN_PASSWORD='' | |
$COSIGN import-key-pair --key leaf.key | |
$COSIGN sign --key import-cosign.key --output-signature image.sig --upload=false $IMAGE_DIGEST | |
$COSIGN verify --certificate-chain <(cat root-ca.crt intermediate-ca.crt) --certificate leaf.crt --signature image.sig $IMAGE | |
cd - | |
rm -rf "$WORKING_DIR" | |
} | |
main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Your certificate has been saved in root-ca.crt. | |
Your private key has been saved in root-ca.key. | |
Your certificate has been saved in intermediate-ca.crt. | |
Your private key has been saved in intermediate-ca.key. | |
Your certificate has been saved in leaf.crt. | |
Your private key has been saved in leaf.key. | |
Private key written to import-cosign.key | |
Public key written to import-cosign.pub | |
Verification for ttl.sh/zjn-test:15m -- | |
The following checks were performed on each of these signatures: | |
- The cosign claims were validated | |
- The signatures were verified against the specified public key | |
[{"critical":{"identity":{"docker-reference":"ttl.sh/zjn-test"},"image":{"docker-manifest-digest":"sha256:c77be1d3a47d0caf71a82dd893ee61ce01f32fc758031a6ec4cf1389248bb833"},"type":"cosign container image signature"},"optional":null}] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment