pool/cosign-image
SHA256
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2 Commits 2 Branches 0 Tags 44 KiB
Dockerfile 100%
devel
Go to file
Dan Čermák f27052432a [info=c6428cc8064978a36318c43779664dc4] 
OBS-URL: https://build.opensuse.org/package/show/devel:BCI:Tumbleweed/cosign-image?expand=0&rev=18
2024-11-25 15:46:03 +00:00
_service [info=c11ae7b91f877d53b9e7ed4d8ed6d010] 2024-11-25 11:58:29 +00:00
.gitattributes [info=c11ae7b91f877d53b9e7ed4d8ed6d010] 2024-11-25 11:58:29 +00:00
.gitignore [info=c11ae7b91f877d53b9e7ed4d8ed6d010] 2024-11-25 11:58:29 +00:00
cosign-image.changes [info=c6428cc8064978a36318c43779664dc4] 2024-11-25 15:46:03 +00:00
Dockerfile [info=c11ae7b91f877d53b9e7ed4d8ed6d010] 2024-11-25 11:58:29 +00:00
README.md [info=c6428cc8064978a36318c43779664dc4] 2024-11-25 15:46:03 +00:00

README.md

openSUSE Tumbleweed cosign

Redistributable

Description

Cosign aims to make signatures management easy.

Cosign supports the following functionality:

  • "Keyless signing" with the Sigstore public good Fulcio certificate authority and Rekor transparency log (default)
  • Hardware and KMS signing
  • Signing with a Cosign-generated encrypted private/public keypair
  • Container signing, verification and storage in an OCI registry.
  • Bring-your-own public key infrastructure (PKI)

Usage

Verify a container image

To verify the image, specify a certificate subject and a certificate issuer using the --certificate-identity and --certificate-oidc-issuer flags:

$ podman run registry.opensuse.org/opensuse/cosign:2.4 \
    verify $IMAGE \
    --certificate-identity=$IDENTITY \
    --certificate-oidc-issuer=$OIDC_ISSUER

You can also provide a regex for the certificate identity and issuer flags, --certificate-identity-regexp and --certificate-oidc-issuer-regexp. For more information, see Keyless verification using OpenID Connect.

Verify a container image against a public key

The verify command returns 0 if at least one cosign-formatted signature for the image is found matching the public key. See the detailed usage below for information and caveats on other signature formats.

Valid payload is printed to stdout, in JSON format. Note that the signed payload includes the digest of the container image, which indicated that these "detached" signatures apply to the correct image.

$ podman run registry.opensuse.org/opensuse/cosign:2.4 verify --key cosign.pub $IMAGE_URI:1h
The following checks were performed on these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8"},"Type":"cosign container image signature"},"Optional":null}

For more use cases and information, refer to the sigstore cosign Quickstart.

Licensing

SPDX-License-Identifier: Apache-2.0

This documentation and the build recipe are licensed as Apache-2.0. The container itself contains various software components under various open source licenses listed in the associated Software Bill of Materials (SBOM).

This image is based on openSUSE Tumbleweed.