[info=c11ae7b91f877d53b9e7ed4d8ed6d010]
OBS-URL: https://build.opensuse.org/package/show/devel:BCI:Tumbleweed/cosign-image?expand=0&rev=17
This commit is contained in:
commit
6ea2fc3fbe
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.osc
|
55
Dockerfile
Normal file
55
Dockerfile
Normal file
@ -0,0 +1,55 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon.
|
||||
|
||||
# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
|
||||
# It is maintained by the BCI team and generated by
|
||||
# https://github.com/SUSE/BCI-dockerfile-generator
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
# You can contact the BCI team via https://github.com/SUSE/bci/discussions
|
||||
|
||||
#!UseOBSRepositories
|
||||
|
||||
#!BuildTag: opensuse/cosign:%%cosign_version%%-%RELEASE%
|
||||
#!BuildTag: opensuse/cosign:%%cosign_version%%
|
||||
#!BuildTag: opensuse/cosign:2.4
|
||||
#!BuildTag: opensuse/cosign:2
|
||||
#!BuildTag: opensuse/cosign:latest
|
||||
|
||||
FROM opensuse/bci/bci-micro:latest AS target
|
||||
FROM opensuse/tumbleweed:latest AS builder
|
||||
COPY --from=target / /target
|
||||
|
||||
RUN set -euo pipefail; \
|
||||
zypper -n --installroot /target --gpg-auto-import-keys install --no-recommends cosign openSUSE-build-key; \
|
||||
zypper -n clean; \
|
||||
rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}
|
||||
# sanity check that the version from the tag is equal to the version of cosign that we expect
|
||||
RUN set -euo pipefail; \
|
||||
[ "$(rpm --root /target -q --qf '%{version}' cosign | \
|
||||
cut -d '.' -f -2)" = "2.4" ]
|
||||
FROM opensuse/bci/bci-micro:latest
|
||||
COPY --from=builder /target /
|
||||
# Define labels according to https://en.opensuse.org/Building_derived_containers
|
||||
# labelprefix=org.opensuse.application.cosign
|
||||
LABEL org.opencontainers.image.title="openSUSE Tumbleweed cosign"
|
||||
LABEL org.opencontainers.image.description="Signing OCI containers using Sigstore, based on the openSUSE Tumbleweed Base Container Image."
|
||||
LABEL org.opencontainers.image.version="%%cosign_version%%"
|
||||
LABEL org.opencontainers.image.url="https://www.opensuse.org"
|
||||
LABEL org.opencontainers.image.created="%BUILDTIME%"
|
||||
LABEL org.opencontainers.image.vendor="openSUSE Project"
|
||||
LABEL org.opencontainers.image.source="%SOURCEURL%"
|
||||
LABEL org.opencontainers.image.ref.name="%%cosign_version%%-%RELEASE%"
|
||||
LABEL org.opensuse.reference="registry.opensuse.org/opensuse/cosign:%%cosign_version%%-%RELEASE%"
|
||||
LABEL org.openbuildservice.disturl="%DISTURL%"
|
||||
LABEL org.opensuse.lifecycle-url="https://en.opensuse.org/Lifetime#openSUSE_BCI"
|
||||
LABEL org.opensuse.release-stage="released"
|
||||
# endlabelprefix
|
||||
LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/SUSE/BCI-dockerfile-generator/Tumbleweed/cosign-image/README.md"
|
||||
LABEL io.artifacthub.package.logo-url="https://raw.githubusercontent.com/sigstore/community/main/artwork/cosign/horizontal/color/sigstore_cosign-horizontal-color.svg"
|
||||
ENTRYPOINT ["/usr/bin/cosign"]
|
63
README.md
Normal file
63
README.md
Normal file
@ -0,0 +1,63 @@
|
||||
# openSUSE Tumbleweed cosign
|
||||
![Redistributable](https://img.shields.io/badge/Redistributable-Yes-green)
|
||||
|
||||
## Description
|
||||
Cosign aims to make signatures management easy.
|
||||
|
||||
Cosign supports the following functionality:
|
||||
|
||||
* "Keyless signing" with the Sigstore public good Fulcio certificate authority and Rekor transparency log (default)
|
||||
* Hardware and KMS signing
|
||||
* Signing with a Cosign-generated encrypted private/public keypair
|
||||
* Container signing, verification and storage in an OCI registry.
|
||||
* Bring-your-own public key infrastructure (PKI)
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
### Verify a container image
|
||||
|
||||
To verify the image, specify a certificate subject
|
||||
and a certificate issuer using the `--certificate-identity` and
|
||||
`--certificate-oidc-issuer` flags:
|
||||
|
||||
```shell
|
||||
$ podman run registry.opensuse.org/opensuse/cosign:2.4 \
|
||||
verify $IMAGE \
|
||||
--certificate-identity=$IDENTITY \
|
||||
--certificate-oidc-issuer=$OIDC_ISSUER
|
||||
```
|
||||
|
||||
You can also provide a regex for the certificate identity and issuer flags,
|
||||
`--certificate-identity-regexp` and `--certificate-oidc-issuer-regexp`. For more information, see
|
||||
[Keyless verification using OpenID Connect](https://docs.sigstore.dev/cosign/verifying/verify/#keyless-verification-using-openid-connect).
|
||||
|
||||
### Verify a container image against a public key
|
||||
|
||||
The `verify` command returns `0` if *at least one* `cosign`-formatted signature for
|
||||
the image is found matching the public key. See the detailed usage below for
|
||||
information and caveats on other signature formats.
|
||||
|
||||
Valid payload is printed to stdout, in JSON format. Note that the
|
||||
signed payload includes the digest of the container image, which indicated that these "detached" signatures apply to the correct image.
|
||||
|
||||
```shell
|
||||
$ podman run registry.opensuse.org/opensuse/cosign:2.4 verify --key cosign.pub $IMAGE_URI:1h
|
||||
The following checks were performed on these signatures:
|
||||
- The cosign claims were validated
|
||||
- The signatures were verified against the specified public key
|
||||
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8"},"Type":"cosign container image signature"},"Optional":null}
|
||||
```
|
||||
|
||||
For more use cases and information, refer to the
|
||||
[sigstore cosign Quickstart](https://docs.sigstore.dev/quickstart/quickstart-cosign/).
|
||||
|
||||
## Licensing
|
||||
|
||||
`SPDX-License-Identifier: Apache-2.0`
|
||||
|
||||
This documentation and the build recipe are licensed as Apache-2.0.
|
||||
The container itself contains various software components under various open source licenses listed in the associated
|
||||
Software Bill of Materials (SBOM).
|
||||
|
||||
This image is based on [openSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/).
|
10
_service
Normal file
10
_service
Normal file
@ -0,0 +1,10 @@
|
||||
<services>
|
||||
<service mode="buildtime" name="docker_label_helper"/>
|
||||
<service mode="buildtime" name="kiwi_metainfo_helper"/>
|
||||
<service name="replace_using_package_version" mode="buildtime">
|
||||
<param name="file">Dockerfile</param>
|
||||
<param name="regex">%%cosign_version%%</param>
|
||||
<param name="package">cosign</param>
|
||||
<param name="parse-version">patch</param>
|
||||
</service>
|
||||
</services>
|
24
cosign-image.changes
Normal file
24
cosign-image.changes
Normal file
@ -0,0 +1,24 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 25 11:56:16 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
|
||||
|
||||
- Add line breaks into package version check
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Nov 24 08:03:54 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
|
||||
|
||||
- Add major version tag
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 13 13:40:15 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
|
||||
|
||||
- ship with openSUSE-build-keys
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 30 15:34:45 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
|
||||
|
||||
- remove nonsensical org.opencontainers.image.authors - duplication of .vendor
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 30 12:55:17 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
|
||||
|
||||
- First version of the cosign BCI
|
Loading…
Reference in New Issue
Block a user