https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/Recent content in System Configuration onHugo -- gohugo.ioTue, 06 Oct 2020 08:49:15 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/installation/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/installation/With Go 1.20+ # If you have Go 1.20+, you can directly install Cosign by running: go install github.com/sigstore/cosign/v3/cmd/cosign@latest The resulting binary will be placed at $GOPATH/bin/cosign (or $GOBIN/cosign, if set). With the Cosign binary or rpm/dpkg package # Download the binary for your platform from the Cosign releases page. # binary curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" sudo mv cosign-linux-amd64 /usr/local/bin/cosign sudo chmod +x /usr/local/bin/cosign # rpm LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") curl -O -L "https://github.https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/integration/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/integration/Integration # One of the key tenets of the Sigstore community’s strategy has been to focus on open source package managers as our primary stakeholders. OSS package managers serve as a critical link in the overall software supply chain, both in the distribution of artifacts and metadata, but also often as an implicitly trusted actor that is expected to curate content based on static and transient information. Package managers also typically create command line tools used to download, install and manage packages on systems in a variety of environments.https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/custom_components/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/custom_components/This page contains instructions on how to configure Cosign to work with alternative components for Rekor, Fulcio, or the CT Log. Verifying keyless signatures require verifying signatures from Rekor, material (SCTs) from the CT log, and certificates that chain up to Fulcio. The public keys and root certificates for these components are distributed through TUF repositories. By default, Cosign uses a TUF client that has an initial trust in an embedded root and then fetches updated verification material from our public-good-instance TUF repository created on the root-signing GitHub repository.https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/public_deployment/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/public_deployment/Public-Good Instance # Staging Instance # There is a public staging environment with staging versions of Fulcio, Rekor and an OIDC issuer, with its own roots of trust. NOTE The staging environment provides neither SLO guarantees nor the same protection of the root key material for TUF. This environment is meant for development and testing only. It is not appropriate to use for production purposes. The endpoints are as follows:https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/registry_support/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/registry_support/Cosign uses go-containerregistry for registry interactions, which has generally excellent compatibility, but some registries may have quirks. Today, Cosign has been tested and works against the following registries: AWS Elastic Container Registry GCP’s Artifact Registry and Container Registry Docker Hub Azure Container Registry JFrog Artifactory Container Registry The CNCF distribution/distribution Registry GitLab Container Registry GitHub Container Registry The CNCF Harbor Registry Digital Ocean Container Registry Sonatype Nexus Container Registry Alibaba Cloud Container Registry Quay.https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/specifications/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/cosign/system_config/specifications/Cosign is inspired by tools like minisign and signify. Signature Specifications # Specifications are maintained within the Cosign repo and available in SIGNATURE_SPEC.md. SBOM in OCI Specification # Cosign supports working with SBOMs (Software Bill Of Materials). Both formats such as SPDX, CycloneDX are supported. The format for this is maintained within the Cosign repo and available SBOM_SPEC.md. In-Toto Attestation Predicate # Cosign supports working with In-Toto Attestations using the predicate model.