When it comes to software supply chain security, being able to Sign and Verify Files, docker images, and software bill of materials (SBOM) is crucial. CoSign by Sigstore provides an easy and accessible way to manage these operations. In this article, we’ll cover the steps to install CoSign, sign and verify your artifacts both keylessly and with a key, and ensure your software deployment is secure.
Table of Contents
Installation Steps
To start using CoSign, you need to install it on your system. Here are the steps:
For Windows:
# Download Cosign curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe # Rename the file ren cosign-windows-amd64.exe cosign.exe # Move to PATH (optional) move cosign.exe C:\Windows\System32\
For Linux:
# Download Cosign curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 # Make it executable chmod +x cosign-linux-amd64 # Move to PATH (optional) sudo mv cosign-linux-amd64 /usr/local/bin/cosign
For Mac/OSX:
# Download Cosign curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-darwin-amd64 # Make it executable chmod +x cosign-darwin-amd64 # Move to PATH (optional) sudo mv cosign-darwin-amd64 /usr/local/bin/cosign
Signing and Verifying
Keyless Signing and Verifying
CoSign allows you to sign without having to manage keys. Here’s how you do it:
# 1. Sign your container keylessly COSIGN_EXPERIMENTAL=1 cosign sign -keyless <docker-image-url> # 2. Verify the signature keylessly COSIGN_EXPERIMENTAL=1 cosign verify -keyless <docker-image-url>
With Key Signing and Verifying
If you prefer using keys for signing, follow these steps:
# 1. Generate a key pair
cosign generate-key-pair
# 2. Sign your container using the generated key
cosign sign -key cosign.key <docker-image-url>
# 3. Verify the container image
cosign verify -key cosign.pub <docker-image-url>
Sign & Verify Files
To sign files specifically, you can use the CoSign CLI with the following commands:
# Sign a file
cosign sign-blob -key cosign.key --output-signature yourfile.sig yourfile
# Verify a file
cosign verify-blob -key cosign.pub --signature yourfile.sig yourfile
Signing Docker Images and SBOMs
Signing docker images and SBOMs follow a similar process. :
# Sign a docker image cosign sign --key cosign.key ghcr.io/your-repo/your-image:tag #Sign a SBOM cosign sign-blob --key cosign.key path/to/your-sbom.json
Verification
Verification ensures that the artifact has not been tampered with. Here’s how to verify different types of artifacts:
# Verify the docker images cosign verify --key cosign.pub ghcr.io/your-repo/your-image:tag # Verify SBOM cosign verify-blob --key cosign.pub path/to/your-sbom.json
Conclusive Summary
Securing your software supply chain with Sign and Verify Files, docker images and SBOMs is essential in today’s cybersecurity landscape. Using CoSign provides a streamlined, efficient approach for signing and verifying your artifacts either with or without a key. By integrating CoSign into your CI/CD pipeline, you can maintain a secured software delivery process that’s verifiable and resistant to tampering.
References
