cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** Have cosign on the developers machine run the same build, creating a signature locally and then sending the signature to the remote in machine, where it is checked and...
**Description** I'm failed to verify docker Image against the transpancy log with rekor-cli verify: ``` $ rekor-cli verify --signature mor.sig --artifact https://registry.hub.docker.com/morwn/hello-container --public-key cosign.pub error: error retrieving external entities: invalid...
**Description** The `--k8s-keychain` flag (e.g., in [`cosign sign`](https://github.com/sigstore/cosign/blob/main/doc/cosign_sign.md)) is > `whether to use the kubernetes keychain instead of the default keychain (supports workload identity).` This is a bit of a...
If you run `cosign sign container.registry.io/foo:tag`, then you're vulnerable to: 1. Race conditions, where `:tag` changed. Immutable tags help with this, but it's hard for cosign to know whether a...
When running ` COSIGN_EXPERIMENTAL=1 cosign sign-blob foo.bin --output-signature sig --output-certificate foo.pem` I found that the contents of foo.pem was: ``` ➜ signing-playground cat service.pem LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvekNDQWltZ0F3SUJBZ0lVYm94bjh0dnpHMkhvWVdpQlVnb2xwTmF3dHhrd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpJd05qRTNNVE14T0RRM1doY05Nakl3TmpFM01UTXlPRFEzV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJMnZza3RHS0lMbldVTjZDeTYyVlNFenFDcjkvSmNPc2g5M28KclVMa1NtZkZTRWxaTmhrRWJCVW5iRGpoOWxSTGxPeFNSUWRtTjdubEU4cGErVlI4MzZPQ0FVZ3dnZ0ZFTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVU3cXdFCnJuOW1oYWIwdGJkSHZ2a1gyRVFQTXBVd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0pBWURWUjBSQVFIL0JCb3dHSUVXY0dGMGNtbGphMEJqYUdGcGJtZDFZWEprTG1SbGRqQXBCZ29yQmdFRQpBWU8vTUFFQkJCdG9kSFJ3Y3pvdkwyRmpZMjkxYm5SekxtZHZiMmRzWlM1amIyMHdnWXNHQ2lzR0FRUUIxbmtDCkJBSUVmUVI3QUhrQWR3QUlZSkx3S0ZML2FFWFIwV3NuaEp4Rlp4aXNGajNET05KdDVyd2lCalp2Y2dBQUFZRngKMFBESUFBQUVBd0JJTUVZQ0lRQ3RVTUtyU0lXT3B6U2ZHOU1iTGV3UFQycXlhS1g0bFFYa056ZmpQeDRzRHdJaApBTXpuQVlibVM0Tk43ZXpRM1JTby80ZXNzdlplVG13UkRnZjBVWlBRbmFaRE1Bb0dDQ3FHU000OUJBTURBMmdBCk1HVUNNSE45Nyt2R1BqQmxVSUQwbzliN2tmTEVSejc2YTBkcTVvVENDUVJHS0lpV0thTTJkczN5cHphQmh0ZmYKbTRqRFJ3SXhBT2JoOGtTM3dhL0VsdnY5VjJDenV6Nm9MNDlQcXpTQ0M3WG52TmNXVGFXdjE5UFFxZk9VTm1qSwoyRk54dzZMbDBBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=% ``` running this through base64...
**Description** Based on the talk in Slack[^1] with @imjasonh, it'd be better for consistency to use the `skip-information` flag for clean cmd in addition to the `force` flag. The whole...
**Description** Here in README.md[^1] and sigstore.dev[^2], The `COSIGN_REPOSITORY` env variable looks like it can only be used for storing signatures in the given repository. Still, it can be used to...
The GitHub provider somewhat blindly requests tokens from the GitHub provider and returns them to the application. The provider should probably do some verification on the token to make sure...
**Description** In `cosign dockerfile verify`, verification options like `--certificate` and `--certificate-oidc-issuer` are passed as command-line arguments. This leaves the user burdened with mapping certificate criteria to images externally, and for...
**Description** Currently, `cosign` has the `copy` command only in `cli`. But it will be very useful if it is included as a shared `pkg` so that it is reusable. I...
