Sign and verify with key
Generate key pair
The first step towards signing your software is to generate a key-pair. In the background, cosign uses ECDSA (Elliptic Curve Digital Signature Algorithm) & elliptic.P256 cryptography to generate key-pair, but let's not worry about that & keep things simple.
cosign generate-key-pair
ls -la
Set image
We can follow the steps from this section to set the image. Let's ensure the IMAGE variable is set.
echo $IMAGE
Sign the artifact
This will sign that thing & push the signature to the OCI registry. For this example, make sure you are logged in to dockerhub from cli.
cosign sign --key cosign.key $IMAGE
Verify the artifact
cosign verify --key cosign.pub $IMAGE
Observe the list of checks performed above in this method,
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
There's no involvement of transparency log or short lived certificates in this method. We will learn about them in the later sections.
Last update: 2022-11-24 05:02:08
Created: 2022-11-19 06:59:59
Created: 2022-11-19 06:59:59