tldr/pages/common/cosign.md

37 lines
982 B
Markdown

# cosign
> Container Signing, Verification and Storage in an OCI registry.
> More information: <https://github.com/sigstore/cosign>.
- Generate a key-pair:
`cosign generate-key-pair`
- Sign a container and store the signature in the registry:
`cosign sign -key {{cosign.key}} {{image}}`
- Sign a container image with a key pair stored in a Kubernetes secret:
`cosign sign -key k8s://{{namespace}}/{{key}} {{image}}`
- Sign a blob with a local key pair file:
`cosign sign-blob --key {{cosign.key}} {{path/to/file}}`
- Verify a container against a public key:
`cosign verify -key {{cosign.pub}} {{image}}`
- Verify images with a public key in a Dockerfile:
`cosign dockerfile verify -key {{cosign.pub}} {{path/to/Dockerfile}}`
- Verify an image with a public key stored in a Kubernetes secret:
`cosign verify -key k8s://{{namespace}}/{{key}} {{image}}`
- Copy a container image and its signatures:
`cosign copy {{example.com/src:latest}} {{example.com/dest:latest}}`