cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Can I use consign to verify local images?

Open neblen opened this issue 3 years ago • 6 comments

Question

I pull images from images registry and I want verify these local images.Can I use cosign to verify local images? These images have been singed by cosign in remote registry.

neblen avatar Mar 09 '22 08:03 neblen

you can check the image before pulling for example:

I have no images locally

$ docker images
REPOSITORY   TAG       IMAGE ID   CREATED   SIZE

I want to check an image

$ COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/projectsigstore/cosign:v1.6.0

$ COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/projectsigstore/cosign:v1.6.0

Verification for gcr.io/projectsigstore/cosign:v1.6.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"gcr.io/projectsigstore/cosign"},"image":{"docker-manifest-digest":"sha256:b667002156c4bf9fedd9273f689b800bb5c341660e710e3bbac981c9795423d9"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIQDKOjHLFQDrOfI0FGxaOUVcrvuh639SwV+4rhim2cg3ZAIgctpg49VMRpvKJ5ENfLuma6vcfaoxaWa6i8GaRhF/HLo=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2ZDI3N2QyMWNlNDJmODgzNjM0ZGYyMTM5MzhjNGUxOGYzNTI0N2I5OGZiYmZlY2ExNzY1MWE1MjQ1MjIxYmEwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNMOEJFKzdmeWJyNjZDK1RlNEs4NTBoNEFmb2dEand3WkhFaEtYQjkyL3RRSWdjS0luQkVkWHFoWHBYeDJWRFVjZmxwOUMxdlFrQXUwZHRIczdadEYzd213PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTk1WRU5EUVdKTFowRjNTVUpCWjBsVVkwdDNURWxSTUVGdGVISlZTRlZtVkhKaWJDOW9aM05YZEdwQlMwSm5aM0ZvYTJwUFVGRlJSRUY2UVhFS1RWSlZkMFYzV1VSV1VWRkxSWGQ0ZW1GWFpIcGtSemw1V2xNMWExcFlXWGhGVkVGUVFtZE9Wa0pCVFZSRFNFNXdXak5PTUdJelNteE5RalJZUkZSSmVRcE5SRTEzVGtSQk5FMVVTVEJQVm05WVJGUkplVTFFVFhkT1JFRTBUV3BKTUU5R2IzZEJSRUphVFVKTlIwSjVjVWRUVFRRNVFXZEZSME5EY1VkVFRUUTVDa0YzUlVoQk1FbEJRa2huVDBsSmJGUkRMMUpQUW1kVFNtbG9VMkZxYlRoVGNrdGtSRmcyYXk5a2VXZzFVMHRoYTNCWlVUSkxUR0ZUZFd3eGRrSTFMeThLVEVkVk1pOUlTM0JtZFV4VWRqZ3ZUaXRCTTI1R1lrVmhTakp1YlRGaFpXcG5aVUYzWjJRd2QwUm5XVVJXVWpCUVFWRklMMEpCVVVSQloyVkJUVUpOUndwQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOUVhkSFFURlZaRVYzUlVJdmQxRkRUVUZCZDBoUldVUldVakJQUWtKWlJVWkNZVE5XTTBOb0NrWkZZbk01V214SVowNTBhRlUwV1ZVeVlrUjBUVUk0UjBFeFZXUkpkMUZaVFVKaFFVWkdha0ZJYkN0U1VtRldiWEZZY2sxclMwZFVTWFJCY1hoaldEWUtUVVF3UjBFeFZXUkZVVVZDTDNkUmVrMUVSMEpNTW5Sc1pWZDRiR016VGtGalNFcDJZVzFXYW1SSVRuQmFNMDR3WWpOS2JFeHRiR2hpVXpWdVl6SldlUXBrYld4cVdsZEdhbGt5T1RGaWJsRjFXVEk1ZEUxRGEwZERhWE5IUVZGUlFtYzNPSGRCVVVWRlJ6Sm9NR1JJUW5wUGFUaDJXVmRPYW1JelZuVmtTRTExQ2xveU9YWmFNbmhzVEcxT2RtSlVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXdRVVJDYlVGcVJVRnROV013UWtSYVdVOXpNMDByZGxRd01DdDFXbEJXZDJnS1RHNXdORXB5TWs0dmFXTnpPV0ZLWXk5UFNrb3ZRa1JIWTIwMVMzRnFTVkYzZDFVeVR6UnBaRUZxUlVFNU9FeHlXR3RhUlhoaE1UWlFSM2t6VGxOVlJBcEZkakZpVUhGNU5tbzBaRkZCUzBzM1dXOVlXRlpNY0hkbU16SjBaSE5aWW14aFFYQnlVakZ0Y2sxTGJ3b3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0ifX19fQ==","integratedTime":1646381571,"logIndex":1556936,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"GIT_HASH":"4b2c3c0c8ee97f31b9dac3859b40e0a48b8648ee","GIT_VERSION":"v1.6.0","Issuer":"https://accounts.google.com","Subject":"[email protected]"}}]

then i can pull the image if I want

cpanato avatar Mar 09 '22 08:03 cpanato

Thank you for your reply! I konw this usage.But when someone modify the local images,I can't verify these local images.If I am worried about these local images safety,I need to delete these images and pull images again from remote registry.

neblen avatar Mar 09 '22 09:03 neblen

ahh, you can use the flag --local-image but for that, you need to have the image saved using cosign save

cpanato avatar Mar 09 '22 14:03 cpanato

@cpanato Thank you very much.When I use the command cosign save,there are some problems.

./cosign sign -key cosign.key dev.harbor.com/test/hello-world:v1
WARNING: the flag -key is deprecated and will be removed in a future release. Please use the flag --key.
an error occurred: no provider found for that key reference, will try to load key from disk...
Enter password for private key: Pushing signature to: dev.harbor.com/test/hello-world

[user@harbor-user-2-5 cosign]# ./cosign save dev.harbor.com/test/hello-world:v1 --dir=/home
Error: getting signatures: GET https://dev.harbor.com/v2/test/hello-world/manifests/sha256-f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4.sig: PROJECTPOLICYVIOLATION: The image is not signed in Cosign.
main.go:46: error during command execution: getting signatures: GET https://dev.harbor.com/v2/test/hello-world/manifests/sha256-f54a58bc1aac5ea1a25d796aexxxxxxc228b3f0e11d046ae276b39c4bf2xxxxxxx.sig: PROJECTPOLICYVIOLATION: The image is not signed in Cosign.

Could you please provide some usage examples? Thank you so much!

neblen avatar Mar 09 '22 15:03 neblen

@cpanato @neblen What do you do with a saved local image once it's been verified? How do you now run that image? Does it need to be sent back to the registry first?

adammfrank avatar Apr 25 '22 15:04 adammfrank

sorry for the delay, missed this notification :(

i've run that using:

$ cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v1.8.0
GitCommit:     9ef6b207218572b3257a5b4251418d75569baaae
GitTreeState:  clean
BuildDate:     2022-04-27T13:40:34Z
GoVersion:     go1.17.9
Compiler:      gc
Platform:      darwin/arm64

save:

$ cosign save ghcr.io/sigstore/cosign/cosign:v1.8.0 --dir=/tmp

verify:

$ export COSIGN_EXPERIMENTAL=true
$ cosign verify --local-image /tmp

Verification for /tmp --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"gcr.io/projectsigstore/cosign"},"image":{"docker-manifest-digest":"sha256:12b4d428529654c95a7550a936cbb5c6fe93a046ea7454676cb6fb0ce566d78c"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIQDHwZnXU3V2fZHMn2RdDZewIemjMOIUlMWnJYfdw3AqZAIgfDqV5azShQfNzwSEHw5XJ81ipI0nbRxmsQAkeEFkDiM=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MGFjNDYzODEzMmNkMTNjNjE4YWZiNGVlMGFmMWY1ODZkZTc4MGMzZTY0OWRlZWExMDZmMDE0MjA0MDY4ZGFiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUNqZjc5VkxSUDV5d2dXM0pPYTRaenhMajVKWHJlSHNJdUFDZTJ2WUc1M3ZnSWhBTVBSNWhEUFZYY3I3N1ByZ3d6RXZnYldOSmxqZXg0Z1hmV2Q4N1p2N1h5ViIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTk1WRU5EUVdKUFowRjNTVUpCWjBsVlFWQXpVVVYzTkc5elJqSlNjRFpaVXpOclNpdFNaRWR4TVZGcmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1MycEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWtWM1JIZFpSRlpSVVVSRmQyaDZZVmRrZW1SSE9YbGFWRUZsUm5jd2VRcE5ha0V3VFdwamVFNUVRVE5OYWtaaFJuY3dlVTFxUVRCTmFtTjRUa1JGTTAxcVFtRk5RVUYzVjFSQlZFSm5ZM0ZvYTJwUFVGRkpRa0puWjNGb2EycFBDbEJSVFVKQ2QwNURRVUZSUjB0aFpHUkZRMlJKV21wVVNrZFZkbkptTldzMFlUTjFhRE4xZDAxUWVsa3ljbFJVTTI0NU0yTXZNM2RzZW5VM056TnVVbGtLYldSbk1GaGtVVE5HU0hjdlRYcE9aSFV5T0UxT2QweFJSbFZVUkRGb01XMXZORWhuVFVsSVpFMUJORWRCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkFwQ1owNVdTRk5WUlVSRVFVdENaMmR5UW1kRlJrSlJZMFJCZWtGTlFtZE9Wa2hTVFVKQlpqaEZRV3BCUVUxQ01FZEJNVlZrUkdkUlYwSkNWRzgwY0M5U0NrbDBibTQwV2tkemFISndTalpDU0hCT2FFUXpURVJCWmtKblRsWklVMDFGUjBSQlYyZENVbGwzUWpWbWExVlhiRnB4YkRaNlNrTm9hM2xNVVV0eldFWUtLMnBCT1VKblRsWklVa1ZDUVdZNFJVMTZRWGhuVXpseVdsaHNjMXBZVG5wUlNFSjVZakp3YkZrelVucGhWMlI2WkVjNWVWcFROWEJaVnpCMVdqTk9iQXBqYmxwd1dUSldhRmt5VG5aa1Z6VXdURzFPZG1KVVFYQkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrSjBiMlJJVW5kamVtOTJUREpHYWxreU9URmlibEo2Q2t4dFpIWmlNbVJ6V2xNMWFtSXlNSGREWjFsSlMyOWFTWHBxTUVWQmQwMUVZVUZCZDFwUlNYaEJUbUZ4WjJkSlpFcEhTVXRJZUZaRE5UTXdXbmhoVlRRS01uaFVVRmMyWkd0NGRIVndTbGRwWTNOdVZDOHpRM2QyZFdjNVMxQlBiemhGYW1jM2VHMU5ORXhSU1hkalVYVXJNamxGWmpkNk4zRm1ObFYxYmxSa1pBcGhNRUpJV0dOS0wzVkpZelU0Y2tObVZWbEdhRFZ0VkRCbFlWcFVaMnRJVTBKSmVWUjVTVVpSVVdSblpRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0ifX19fQ==","integratedTime":1651068443,"logIndex":2163451,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"GIT_HASH":"9ef6b207218572b3257a5b4251418d75569baaae","GIT_VERSION":"v1.8.0","Issuer":"https://accounts.google.com","Subject":"[email protected]"}}]

cpanato avatar May 05 '22 11:05 cpanato

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Aug 21 '22 02:08 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Aug 26 '22 02:08 github-actions[bot]