...
Cosign is a command line utility that can sign and verify software artifact, such as container images and blobs.
In Kubernetes, we can use FluxCD and Kyverno to verify Helmcharts and Docker images respectively.
Installation
https://docs.sigstore.dev/system_config/installation/
...
Script to Sign Helm Charts and Docker Images
Code Block | ||||
---|---|---|---|---|
| ||||
#!/bin/bash #source optional env file set -a . ~/cosign/env set -e +a #************ SAMPLE ENV FILE ************ #BUILD="22.0.1-4040670" #SRE_BUILD="23.2.0-3610795" #OCI_REPO="xxx.azurecr.io" #OCI_REPO_USERNAME=xxx #OCI_REPO_PASSWORD="xxx" #COSIGN_PRIVATE_KEY="-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY----- #... #-----END ENCRYPTED SIGSTORE PRIVATE KEY-----" #COSIGN_PUBLIC_KEY="-----BEGIN PUBLIC KEY----- #... #-----END PUBLIC KEY-----" export COSIGN_PASSWORD="" signArtifact () { cosign sign --yes --key env://COSIGN_PRIVATE_KEY \ --registry-username="${OCI_REPO_USERNAME}" \ --registry-password="${OCI_REPO_PASSWORD}" \ ${OCI_REPO}/$1 } verifyArtifact(){ cosign verify --key env://COSIGN_PUBLIC_KEY \ --registry-username="${OCI_REPO_USERNAME}" \ --registry-password="${OCI_REPO_PASSWORD}" \ ${OCI_REPO}/$1 >/dev/null } source images.src source charts.src images=(${images[@]}) charts=(${charts[@]}) requiredBins=( "cosign" ) for bin in "${requiredBins[@]}"; do if ! command -v ${bin} &> /dev/null then echo "Required command ${bin} could not be found, please install and re-run" exit fi done echo echo "==================" echo "SIGNING CHARTS" echo "==================" for chart in "${charts[@]}"; do chartName=`echo ${chart}|sed 's/:.*//'` chartVersion=`echo ${chart}|sed -e 's/.*://'` echo "ChartName: ${chartName}" echo "ChartVersion: ${chartVersion}" echo "------------------" signArtifact charts/${chartName}:${chartVersion} verifyArtifact charts/${chartName}:${chartVersion} echo "------------------" done echo echo "==================" echo "SIGNING IMAGES" echo "==================" for image in "${images[@]}"; do imageNameAndVersion=`echo $image |sed 's:[^/]*/\(.*\):\1:'` imageName=`echo ${imageNameAndVersion}|sed -e 's/:.*//'` imageVersion=`echo ${imageNameAndVersion}|sed -e 's/.*://'` echo "Image Name: ${imageName}" echo "Image Version: ${imageVersion}" echo "------------------" signArtifact ${imageName}:${imageVersion} verifyArtifact ${imageName}:${imageVersion} echo "------------------" done echo "" echo "DONE!" |
...
Code Block | ||
---|---|---|
| ||
charts=( "mychart:$BUILD" "ckaf/kafka/rocky8:8.4.2-7.3.1-7486" ) |
Helpful Scripts
Install latest helm
Code Block |
---|
https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash |
Login to Helm Registry
Code Block |
---|
helm registry login ncydacrinprogress.azurecr.io --username ncydacrinprogress --password xxx |
Push Chart
Code Block |
---|
helm push ssh-server-0.1.0.tgz oci://ncydacrinprogress.azurecr.io/charts |
List artifacts in Azure Container Registry
Code Block |
---|
az acr login --name ncydacrinprogress.azurecr.io -u ncydacrinprogress -p xxxx
az acr repository list --name ncydacrinprogress.azurecr.io -u ncydacrinprogress -p xxxx -o tsv
|
Output
Code Block |
---|
acm/agent
acm/block-provider
acm/frontend
acm/maria-db
acm/mockserver
acm/server
atlassian/jira-software
azuremonitor/containerinsights/ciprod
bats/bats
bitnami/nginx
... |
Using ORAS
Install
Code Block |
---|
brew install oras |
Login
Code Block |
---|
oras login ${OCI_REPO} --username ${OCI_REPO_USERNAME} --password ${OCI_REPO_PASSWORD} |
List Artifacts
Code Block |
---|
oras repo ls ${OCI_REPO}/ |
Get Latest Tag
Code Block |
---|
oras repo tags ${OCI_REPO}/${artifact} | tail -n 1 |
References
Reference | URL |
---|---|
Cosign Quickstart | https://docs.sigstore.dev/signing/quickstart/ |
Prove the Authenticity of OCI Artifacts | https://fluxcd.io/blog/2022/10/prove-the-authenticity-of-oci-artifacts/ |
Signing and Verifying OCI Artifacts | https://fluxcd.io/flux/cheatsheets/oci-artifacts/#signing-and-verification |
Security: Image Provenance | https://fluxcd.io/blog/2022/02/security-image-provenance/ |
Sign and Verify Container Images with Docker, Cosign, and Kyverno: A Complete Guide | https://medium.com/@seifeddinerajhi/sign-and-verify-container-images-with-cosign-and-kyverno-a-complete-guide-b32b1f6e6264 |
Sigstore | https://kyverno.io/docs/writing-policies/verify-images/sigstore/ |