pflaeging-net-public/cosign-tools
4
0
Fork 0
Code Issues Pull requests Projects Packages Wiki Activity
No description
27 commits 1 branch 0 tags 66 KiB
  • Shell 100%
Find a file
Exact
Peter Pfläging 7e119bc110 better german text
2025-07-07 15:40:33 +02:00
kustomize/build correct version 1.1.0 and running buildconfig 2025-07-07 14:50:56 +02:00
scripts - Add id-token based signature 2025-07-07 14:12:02 +02:00
.gitignore add .gitignore 2025-02-03 14:22:26 +01:00
cosign-example.env add example 2024-10-09 10:47:48 +02:00
Dockerfile.ubi-cosign correct version 1.1.0 and running buildconfig 2025-07-07 14:50:56 +02:00
LICENSE License 2025-03-11 22:25:31 +01:00
Readme.de.md better german translation 2025-07-07 15:37:23 +02:00
Readme.md - Add id-token based signature 2025-07-07 14:12:02 +02:00

Readme.md

cosign-tools is a collection of tools for cosign

German translation in ./Readme.de.md

ubi-cosign

Small container based on ubi-minimal with cosign installed

Build

With an OpenShift / OKD BuildConfig

just modify the files in ./kustomize/build/ and apply them with oc apply -k ./kustomize/build/.

With docker

docker buildx build --platform linux/arm64,linux/amd64 --push -t registry.opencode.de/ig-bvc/ag-sig/cosign-tools/ubi-cosign:latest -f Dockerfile.ubi-cosign .

Additional config

If you're using private CA's in your environment please read the Dockerfile.ubi-cosign and uncomment the parts for the import of the certs in your container.

More beautiful with podman

For all of us using a MacBook with Apple M processor and deploying in an AMD64 / Intel64 structure (this works also with a Windows Desktop or a Linux Desktop):

Make a multi-arch build:

  • Install on Mac:
    • podman-desktop
    • podman

Build a multi-arch image:

# login to the registry
podman login registry.opencode.de
# create a manifest for a multi-arch container
podman manifest create registry.opencode.de/ig-bvc/ag-sig/cosign-tools/ubi-cosign:latest
# build for both architectures and link it to the manifest
podman build --platform=linux/amd64,linux/arm64 \
  --manifest registry.opencode.de/ig-bvc/ag-sig/cosign-tools/ubi-cosign:latest \
  -f Dockerfile.ubi-cosign .
# push the result to the registry add --tls-verify=false if you're using private certs
podman manifest push \
  registry.opencode.de/ig-bvc/ag-sig/cosign-tools/ubi-cosign:latest \
  docker://registry.opencode.de/ig-bvc/ag-sig/cosign-tools/ubi-cosign:latest

Test

Prepare

# copy an image to your registry (one signed and one unsigned)
skopeo copy docker://docker.io/library/alpine:3 \
  docker://registry.opencode.de/ig-bvc/ag-sig/cosign-tools/alpine:3 \
  --multi-arch=all --remove-signatures
skopeo copy docker://docker.io/library/alpine:3 \
  docker://registry.opencode.de/ig-bvc/ag-sig/cosign-tools/alpine-pflaeging-sign:3 \
  --multi-arch=all --remove-signatures

Run

Get a cosign.env file for the correct environment (have a look in the RHTAS install repo ) or write it yourself. There's an example here: cosign-example.env

Local:

docker run -ti --env-file cosign.env \
  registry.opencode.de/ig-bvc/ag-sig/cosign-tools/ubi-cosign:latest \
  sh

In a kubernetes/OpenShift cluster:

kubectl run -it ubi-cosign-$USER \
  --image=registry.opencode.de/ig-bvc/ag-sig/cosign-tools/ubi-cosign:latest  \
  $(awk '{print "--env=" $1}' < cosign.env) \
  --restart=Never --rm \
  sh

Inside the container you have to do the following to sign a container registry.opencode.de/ig-bvc/ag-sig/cosign-tools/alpine-pflaeging-sign:3 :

# login to your registry (use a gitlab PAT)
./cosign-login.sh registry.opencode.de
# first use case: sign image with a web browser interactive
# you get an url: copy & paste it in your browser
# log in and paste the token code in the shell asking for it
./sign-image-interactive.sh registry.opencode.de/ig-bvc/ag-sig/cosign-tools/alpine-pflaeging-sign:3
# second use case: get id-token from IdP with curl and sign with the id-token (OIDC id-token)
# this will ask you for your IdP user and password in this script
./sign-image-id-token.sh registry.opencode.de/ig-bvc/ag-sig/cosign-tools/alpine-pflaeging-sign:3
# verify image
./verify-image.sh peter@pflaeging.net registry.opencode.de/ig-bvc/ag-sig/cosign-tools/alpine-pflaeging-sign:3

This is an example code. Please adopt it for your environment!

Use cases for both of this procedures

Use case 1.: interactive signature with IdP Login (like in the public fulcio/rekor tests)

You can either use the ./scripts/sign-image-interactive.sh, this small container or maybe a Web-App to sign images interactive.

This may be a good scenario for small installations, sporadic uses or real personal signatures on your containers.

Use case 2.: batch use case for signatures with OIDC id-token

This use case is the classical use case for signatures in build or CI/CD pipelines. You can take the example script ./scripts/sign-image-id-token.sh and build a task at the end of your build workflow. The id-token can either be an individual user token or a token from a release bot.

Use both methods

Since the components for this signatures are the same:

  • OpenID IdP (KeyCloak)
  • Redhat Trusted Artifact Signer (RHTAS), Securesign Operator or ou fulcio & rekor rollout
  • the parameters for your installation like in ./cosign-example.env

you can implement both methods depending on your use case.