-
Notifications
You must be signed in to change notification settings - Fork 0
10. Distributing Public Key Signed by trusted CA
If you sign the container image with a trusted Certificate Authority (CA) (e.g., Let's Encrypt, Sigstore Fulcio, or an enterprise CA), then the public key would already be trusted in the container, assuming the root CA cert is installed. Here's why and how it works:
- You use a trusted CA (e.g., Sigstore Fulcio, Let's Encrypt, or an internal CA) to issue a certificate for your signing key.
- The CA binds your identity (email, GitHub Actions, etc.) to your public key in a certificate.
- Your container signature is now verifiable using the CA’s root certificate.
- If the container already has the root CA certificate, it can verify the signature using the CA’s public key.
- No need to manually install
cosign.pub—the CA already provides trust.
✅ This is the most secure way to sign images without distributing public keys manually.
| Scenario | What Happens? |
|---|---|
| Self-signed key | Must distribute cosign.pub manually to verify images. |
| Signed by a Trusted CA | Public key verification works automatically if the CA root is installed. |
If the root CA is already included in the container, then:
✅ The public key is implicitly trusted (since it’s part of the CA certificate chain).
✅ No need to distribute keys manually.
Instead of self-signing, use a trusted CA (like Fulcio):
curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
chmod +x cosign-linux-amd64
sudo mv cosign-linux-amd64 /usr/local/bin/cosigncosign sign --oidc-issuer=https://oauth2.sigstore.dev/auth --fulcio-url=https://fulcio.sigstore.dev myregistry.com/my-image:latest🚀 This signs the image with a certificate issued by Fulcio.
cosign verify myregistry.com/my-image:latest --certificate-identity=my-email@example.com --certificate-oidc-issuer=https://oauth2.sigstore.dev/auth✅ Since Fulcio’s root CA is already trusted, the public key is automatically verified.
✅ No need to distribute public keys manually.
✅ Works out of the box with root CAs in the container.
✅ Secure and widely accepted (Sigstore, Let’s Encrypt, internal CAs).
✅ Easier to scale than self-signing.
Yes! If you sign with a trusted CA, and the container already has the CA root certificate installed, then:
✅ The public key is already trusted.
✅ No need to manually install public keys.
✅ Verification happens automatically.