Running cosign in island mode (disconnected)

If your in a normal larger computing center it is not advised that servers have free access to the internet. We call this "island mode"!

Ratio

At the moment cosign uses the common infrastructure rekor and fulcio for signing. Both are not in a production stage, though they cann not easily deployed on premise in a production environment. Though we are using the PKCS11 mode of cosign to generate standalone on premise signatures.

The standard cosign image at the moment has disabled this mode. So we must compile it with the mode enabled!

First test: Container

General

This test case should be a base for pipeline based signing in your infrastructure. Above in the second test there's an example for individual tokens.

The Docker container in this directory has the following settings:

• Alpine container
  • uses a build container, so there are no dev tools in the resulting container and it's small
  • non-root container
• Installed in the container:
  • cosign with PKCS11 support
  • softhsm2 with persistence on /opt/app/tokens
  • podman, openssl, ... installed
• In the container are some very simple shell scripts in /usr/local/bin and one alias in .profile (you can find them in ./bin):
  • generate-card.sh => run it only one time. It generates a virtual card and stores it in the persistent volume mounted to /opt/app/tokens
  • list-tokens.sh => helper tool to look at the contents of your virtual card
  • set-key-uri => alias defined in /opt/app/.profile. This sets your URI variable in the current shell.

Usage

(tested with MacOS or Linux with docker or podman, should work in Windows with docker installed. You have to adapt the docker run shell.script)

• Login to the OpenCode Registry with your username and personal access token:

  docker login registry.opencode.de
  

• run the supplied shell-script (I'm using podman-desktop on Mac Arm!):

  ./run-via-docker.sh
  

  or

  ./run-via-podman.sh
  

• now in the docker container:
  • First time only! => Generate your virtual Card and export the key:

    generate-card.sh
    

    This generates a virtual token card, a certificate and exports it to /opt/app/tokens/exports. If you use the standard supplied persistence, this token and the export is also on your host machine in the ./tokens directory or in your PVC if your using K8s
  • Set your token URI:

    set-key-uri
    

  • Sign your image:

    cosign sign --key $URI myregistry.net/myproject/myimage:latest
    

  • Verify your image:

    cosign verify --key /opt/app/tokens/export/ec-1964-pub.pem  myregistry.net/myproject/myimage:latest | jq
    

Second Test: Yubikey local key

(tested on MacOS with a personal YubiKey 5c NFC)

• Install OpenSC as PKCS11 Layer, Go for building cosgin and jq as beauty JSON formatter:

  brew install opensc go jq
  

  (first install homebrew if you haven't ;-))

• Setup your YubiKey as explained in the documentation and enable the PIV Application (I use the YubiKey Manager App on MacOS )

• Assuming you have installed the Apple Developer Tools do the following in a Shell Window:

  mkdir -p ~/tmp
  cd ~/tmp
  git clone https://github.com/sigstore/cosign.git
  cd cosign
  make cosign-pivkey-pkcs11key
  sudo install cosign /usr/local/bin/cosign.pkcs11
  make clean
  cd ..
  rm -rf cosign
  

• Now you have a new command cosign.pkcs11 (the new name if you have cosign installed before with brew)

• Get your YubiKey slots:

  cosign.pkcs11 pkcs11-tool list-tokens --module-path /opt/homebrew/lib/opensc-pkcs11.so
  

• Set your YubiKey URI:

  cosign.pkcs11 pkcs11-tool list-keys-uris --module-path /opt/homebrew/lib/opensc-pkcs11.so --slot-id SLOT_FROM_ABOVE
  

• Now use the URI from the PIV AUTH key and set an environment variable URI like this:

  export URI="pkcs11:token=Yubico%20PIV%20Authentication;slot-id=4;id=%01;object=PIV%20AUTH%20key?module-path=/opt/homebrew/lib/opensc-pkcs11.so&pin-value=000000"
  

  (be careful, your PIN is in the URI ;-))

• Cool, your ready to sign:

  cosign.pkcs11 sign --key $URI myregistry.net/myproject/myimage:latest
  

• Get your public key:

  cosign.pkcs11 public-key --key $URI > my-public-key.pem
  

• Verify your image:

  cosign.pkcs11 verify --key my-public-key.pem | jq
  

Build

I've included a script which implements a multi-architecture (intel/amd64 & arm64) build with podman and buildah.

The container is a multistage build based on alpine. It's made for RHEL / Almalinux / Rockylinux / Fedora but may work with Suse / Debian or Ubuntu.

Have a look at: ./multi-arch-build.sh NOT working at the moment, made the multiarch OCI manually!

Ready images lies here: registry.pflaeging.net/ig-bvc/cosign-pkcs11-softhsm:v2.0.1-multiarch-a2

General comments

• The image in the OpenCode Registry is signed. You can verify it with:

  cosign verify --key PeterPflaeging-YubiKey-public.pem registry.opencode.de/ig-bvc/ag-sig/cosign-pkcs11-softhsm/cosign-pkcs11-softhsm:latest | jq
  

  (remember: you must be logged in!)
• If you have problems with private certs or uncommon certificates running cosign add --allow-insecure-registry for the tests and try to fix the problems with your infrastructure people!

Todo

• Generate a workflow capable container for tekton
• Generate a kubernetes deployment with the softHSM assets as secrets

---

peter pflaeging <peter@pflaeging.net>