Sign and verify with key

Generate key pair

The first step towards signing your software is to generate a key-pair. In the background, cosign uses ECDSA (Elliptic Curve Digital Signature Algorithm) & elliptic.P256 cryptography to generate key-pair, but let's not worry about that & keep things simple.

cosign generate-key-pair

cosign-generate-key-pair

ls -la

cosign-list-files

Set image

We can follow the steps from this section to set the image. Let's ensure the IMAGE variable is set.

echo $IMAGE

set-image-variable

Sign the artifact

This will sign that thing & push the signature to the OCI registry. For this example, make sure you are logged in to dockerhub from cli.

cosign sign --key cosign.key $IMAGE

cosign-sign-the-artifact

Verify the artifact

cosign verify --key cosign.pub $IMAGE

cosign-verify-the-artifact

Observe the list of checks performed above in this method,

The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

There's no involvement of transparency log or short lived certificates in this method. We will learn about them in the later sections.

Last update: 2022-11-24 05:02:08
Created: 2022-11-19 06:59:59