2021-10-20 19:52:32 +01:00
|
|
|
# cosign
|
|
|
|
|
|
|
|
|
|
> Container Signing, Verification and Storage in an OCI registry.
|
|
|
|
|
> More information: <https://github.com/sigstore/cosign>.
|
|
|
|
|
|
|
|
|
|
- Generate a key-pair:
|
|
|
|
|
|
|
|
|
|
`cosign generate-key-pair`
|
|
|
|
|
|
|
|
|
|
- Sign a container and store the signature in the registry:
|
|
|
|
|
|
|
|
|
|
`cosign sign -key {{cosign.key}} {{image}}`
|
|
|
|
|
|
|
|
|
|
- Sign a container image with a key pair stored in a Kubernetes secret:
|
|
|
|
|
|
|
|
|
|
`cosign sign -key k8s://{{namespace}}/{{key}} {{image}}`
|
|
|
|
|
|
|
|
|
|
- Sign a blob with a local key pair file:
|
|
|
|
|
|
2022-12-04 09:12:49 +00:00
|
|
|
`cosign sign-blob --key {{cosign.key}} {{path/to/file}}`
|
2021-10-20 19:52:32 +01:00
|
|
|
|
|
|
|
|
- Verify a container against a public key:
|
|
|
|
|
|
|
|
|
|
`cosign verify -key {{cosign.pub}} {{image}}`
|
|
|
|
|
|
|
|
|
|
- Verify images with a public key in a Dockerfile:
|
|
|
|
|
|
|
|
|
|
`cosign dockerfile verify -key {{cosign.pub}} {{path/to/Dockerfile}}`
|
|
|
|
|
|
|
|
|
|
- Verify an image with a public key stored in a Kubernetes secret:
|
|
|
|
|
|
|
|
|
|
`cosign verify -key k8s://{{namespace}}/{{key}} {{image}}`
|
|
|
|
|
|
|
|
|
|
- Copy a container image and its signatures:
|
|
|
|
|
|
|
|
|
|
`cosign copy {{example.com/src:latest}} {{example.com/dest:latest}}`
|
