https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/Recent content in Signing onHugo -- gohugo.ioTue, 06 Oct 2020 08:49:15 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/overview/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/overview/This document explains how identity-based, or “keyless” signing works in Sigstore. To learn more about OIDC, please review OIDC Usage in Fulcio. Keyless signing associates identities, rather than keys, with an artifact signature. Fulcio issues short-lived certificates binding an ephemeral key to an OpenID Connect identity. Signing events are logged in Rekor, a signature transparency log, providing an auditable record of when a signature was created. See the Fulcio repository and Rekor repository for more information.https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/signing_with_containers/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/signing_with_containers/You can use Cosign to sign containers with ephemeral keys by authenticating with an OIDC (OpenID Connect) protocol supported by Sigstore. Currently, you can authenticate with Google, GitHub, or Microsoft. For more information, read the Key management overview. The format for keyless signing of a container is as follows. $ cosign sign $IMAGE NOTE: You will need access to a container registry for Cosign to work with. ttl.sh offers free, short-lived (ie: hours), anonymous container image hosting if you just want to try these commands out.https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/signing_with_blobs/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/signing_with_blobs/You can use Cosign for signing and verifying standard files and blobs (or binary large objects), in addition to containers. This topic discusses signing blobs/files. For information on verifying, see Verifying Signatures. Keyless signing of blobs and files # Cosign supports identity-based signing, associating an ephemeral signing key with an identity from an OpenID Connect provider. We refer to this process as “keyless signing”. You use cosign sign-blob to sign standard files as well as blobs.https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/git_support/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/git_support/This page contains detailed instructions on how to configure Cosign to work with hosted Git providers. Right now Cosign supports GitHub and GitLab, and we are hoping to support more in the future! On this page, we’ll be talking about specifically generating public/private key pairs and storing them directly on GitHub and GitLab variables. The hidden gem behind this approach is that the key goes directly to GitHub or GitLab without being copied into your browser or terminal or stored on disk.https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/gitsign/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/gitsign/Gitsign implements keyless Sigstore to sign Git commits with a valid OpenID Connect identity. In practice, that means you won’t need GPG keys and a complicated setup in order to sign your Git commits. After installing and configuring Gitsign within your project and signing your commits, you will be redirected to a browser window to authenticate with a supported OpenID provider, such as GitHub or Google. Signing details will then be stored in the transparency log Rekor for subsequent verification.https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/pkcs11/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/pkcs11/By default, Sigstore uses Open ID signing. However, if you want to use PKCS11 tokens, the cosign command line tool optionally supports PKCS11 tokens for signing. This support is enabled through the crypto11 and the pkcs11 libraries, which are not included in the standard release. Use make cosign-pivkey-pkcs11key, or go build -tags=pkcs11key, to build cosign with support for PKCS11 tokens. For the following examples, we have: IMAGE=gcr.io/vmtest2/demo IMAGE_DIGEST=$IMAGE@sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd Quick Start # Setup # To get started, make sure you already have your PKCS11 module installed, and insert your PKCS11-compatible token.https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/other_types/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/signing/other_types/Cosign can sign anything in a registry. Most of our examples show signing a single image, but you could also sign a multi-platform Index, or any other type of artifact. This includes Helm Charts, Tekton Pipelines, and anything else currently using OCI registries for distribution. This also means new artifact types can be uploaded to a registry and signed. This section discusses signing the following items: SBOMs Tekton Bundles WASM OCI Artifacts Tag signing Base Image and Layer Signing Countersigning SBOMs (Software Bill Of Materials) # SBOMs can also be stored in an OCI registry, using this specification.