Sign and verify with key
Generate key pair
The first step towards signing your software is to generate a key-pair. In the background, cosign uses ECDSA (Elliptic Curve Digital Signature Algorithm) & elliptic.P256 cryptography to generate key-pair, but let's not worry about that & keep things simple.
We can follow the steps from this section to set the image. Let's ensure the
IMAGE variable is set.
Sign the artifact
This will sign that thing & push the signature to the OCI registry. For this example, make sure you are logged in to dockerhub from cli.
cosign sign --key cosign.key $IMAGE
Verify the artifact
cosign verify --key cosign.pub $IMAGE
Observe the list of checks performed above in this method,
The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key
Created: 2022-11-19 06:59:59