cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Can we detail the power of today's cosign features?

Open Simkiw opened this issue 3 years ago • 2 comments
trafficstars

Hi team,

I'm experimenting cosign (sigstore). What i've done so far:

  1. Push the non-signed image to the repo
  2. Sign the image
  3. Pull the image (signed)

DCT is not compatible according to cosign incompatible with DCT.

That means: I can't verify the signature using DCT. Which means, I would have to use cosign verify <myPublicKey> <remoteRepo/image:tag> any time I want to make sure I'm pulling signed images, right?

Q1: In the other hand, can cosign/sigstore verify images signed by notary/DCT? (since it's not compatible, i guess it's also a no)

Q2: And finally, and this is something I could not find in the doc, what would be the advantages of signing an image multiple times (using different keys). Like, how does it reinforce security? (do you have to verify all signatures or is one enough?)

If it's all the signature, it could make sense, but if it's verifying just one ... it makes me wonder.

Q3: Finally, it says: it can sign any file (and not just dockefile). Does that mean config files as well?? Docker-compose file too? Kubernetes yaml files??

I haven't come to those tests yet, but I've read some issues related to DCT and, thought might be interesting to ask.

If you have anything to suggest that I can check out, let me know. These are just the ideas that crossed my mind so far.
(asking, that's the beauty of experimenting)

Ps: I'm not saying the docs is not good, no, it actually has a lot of information and illustrated with examples.
It's just sometimes there is not context provided and, if i speak for myself, I can't really understand how great the feature is.

Thank you

Simkiw avatar Jun 01 '22 15:06 Simkiw

*config files could be signed, it's written in the docs ;) But any idea if docker-compose files could be signed by Cosign?
The docs says artifacts targeting dockerfiles and OCI, and later on it says text files, so ... i'm still doubting on docker-compose.

Simkiw avatar Jun 08 '22 12:06 Simkiw

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Aug 19 '22 02:08 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Aug 25 '22 02:08 github-actions[bot]