Versions Compared

Old Version 32

changes.mady.by.user John

Saved on

compared with

New Version Current

changes.mady.by.user John

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Cosign is a command line utility that can sign and verify software artifact, such as container images and blobs.

In Kubernetes, we can use FluxCD and Kyverno to verify Helmcharts and Docker images respectively.


Image Added




Installation

https://docs.sigstore.dev/system_config/installation/

...

Code Block
titlecharts.src
charts=(
  "mychart:$BUILD"
  "ckaf/kafka/rocky8:8.4.2-7.3.1-7486" 
)


Helpful Scripts

Install latest helm

Code Block
https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash


Login to Helm Registry

Code Block
helm registry login ncydacrinprogress.azurecr.io --username ncydacrinprogress --password xxx


Push Chart

Code Block
helm push ssh-server-0.1.0.tgz oci://ncydacrinprogress.azurecr.io/charts


List artifacts in Azure Container Registry

Code Block
az acr login --name ncydacrinprogress.azurecr.io -u ncydacrinprogress -p xxxx

az acr repository list --name ncydacrinprogress.azurecr.io -u ncydacrinprogress -p xxxx -o tsv


Output

Code Block
acm/agent
acm/block-provider
acm/frontend
acm/maria-db
acm/mockserver
acm/server
atlassian/jira-software
azuremonitor/containerinsights/ciprod
bats/bats
bitnami/nginx
...


Using ORAS

https://oras.land


Install

Code Block
brew install oras


Login

Code Block
oras login ${OCI_REPO} --username ${OCI_REPO_USERNAME} --password ${OCI_REPO_PASSWORD}


List Artifacts

Code Block
oras repo ls ${OCI_REPO}/


Get Latest Tag

Code Block
oras repo tags ${OCI_REPO}/${artifact}  | tail -n 1




References

ReferenceURL
Cosign Quickstarthttps://docs.sigstore.dev/signing/quickstart/
Prove the Authenticity of OCI Artifactshttps://fluxcd.io/blog/2022/10/prove-the-authenticity-of-oci-artifacts/
Signing and Verifying OCI Artifactshttps://fluxcd.io/flux/cheatsheets/oci-artifacts/#signing-and-verification
Security: Image Provenancehttps://fluxcd.io/blog/2022/02/security-image-provenance/

Sign and Verify Container Images with Docker, Cosign, and Kyverno: A Complete Guide

https://medium.com/@seifeddinerajhi/sign-and-verify-container-images-with-cosign-and-kyverno-a-complete-guide-b32b1f6e6264

Sigstore

https://kyverno.io/docs/writing-policies/verify-images/sigstore/