cosign

cosign copied to clipboard

Has anyone had success signing an windows executable? (SignTool)

1

**Question** https://docs.microsoft.com/pt-br/windows/win32/seccrypto/signtool https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode

jean3x7

What are you wondering about?

2

**Question** There was brief mention of using co-sign to ensure an authorized base image was used, can anyone give some detail? I used to have content trust enabled but when...

zfLQ2qx2

Verify --local-image from save does not seem to detect [malicious] changes from layers

2

**Question** I am trying to prove out a workflow to be able to sign, save and transport container images to an air-gapped system to later verify and load into docker...

DanStory

adding HashiCorp Vault namespaces examples to KMS doc

4

Signed-off-by: nicolaka Summary I updated the KMS.md doc with additional details on using Vault Namespaces with cosign. Ticket Link Fixes Release Note NONE

nicolaka

feat(attest): custom annotations support

9

Signed-off-by: Batuhan Apaydın #### Summary This PR will add custom annotation support to both attest and verify-attestation commands. #### Ticket Link Fixes #1773 #### Release Note ```release-note feat(attest): custom annotations...

developer-guy

Can we detail the power of today's cosign features?

2

Hi team, I'm experimenting cosign (sigstore). What i've done so far: 1. Push the non-signed image to the repo 2. Sign the image 3. Pull the image (signed) DCT is...

Simkiw

Refactor + Minor Fixes in key gen and key import commands

2

Refactors: - [X] Use the `ConfirmPrompt` function everywhere instead of rolling prompt implementation everywhere. - [ ] Move `pkg/cosign/common.go` to internal package. - [ ] Maybe have a single function...

sbs2001

Signed-off-by: Kenny Leung #### Summary this updates the fulcio dep from 0.1.2 to 0.5.2. #### Release Note NONE #### Documentation

k4leung4

Propose modifying cosign blob signing and verification to produce a single complete signature file to support simple signing and offline verification.

8

Details of this proposal available in this [Google Doc.](https://docs.google.com/document/d/1gucjOA_bGyRjK6TeaOI-X5GIUv8WsPzeMDMkq25Kv4Y/edit#heading=h.we5fqok7jai5) ### Summary The current `sign-blob` command and documentation steer the user towards producing two files (raw sig and cert) for each...

patflynn

cosign cli doesn't recognize `.../cryptoKeyVersions/$KEY_VERSION`

5

I want to use cosign cli to verify a signature that was generated using `sigstore` pkg with a gcp kms ref `gcpkms://projects/$PROJECT/locations/$LOCATION/keyRings/$KEYRING/cryptoKeys/$KEY/cryptoKeyVersions/$KEY_VERSION`. ``` export KEY_REF=gcpkms://projects/chuangw-test/locations/global/keyRings/test/cryptoKeys/mykey/cryptoKeyVersions/1 cosign verify-blob --key $KEY_REF --signature...

chuangw6