Skip to content
/ cosign-orb Public

A simple CircleCI orb used to install Cosign and sign container images

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

juburr/cosign-orb

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
.circleci
.circleci
 
 
assets/logos
assets/logos
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.yamllint
.yamllint
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Cosign Orb

CircleCI Cosign Orb

An orb for simplifying Cosign installation and use within CircleCI.

CircleCI Build Status CircleCI Orb Version GitHub License CircleCI Community

This is an unofficial Cosign orb for installing Cosign in your CircleCI pipeline. Use it to sign container images and verify signatures.

This orb is primarily intended for use by private organizations at this time. Notice that the convenience commands provided in the initial version of this orb don't attempt to use keyless signing, upload to transparency logs, etc. They assume a simple setup with a public/private key pair stored as base64 encoded secrets within a CircleCI context. If advanced features are needed, you can use this orb for installation only and then run the cosign binary with your own arguments. Contributions are welcome!

Features

Secure By Design

  • Least Privilege: Installs to a user-owned directory by default, with no sudo usage anywhere in this orb.
  • Integrity: Checksum validation of all downloaded binaries using SHA-512.
  • Provenance: Installs directly from Cosign's official releases page on GitHub. No third-party websites, domains, or proxies are used.
  • Confidentiality: All secrets and environment variables are handled in accordance with CircleCI's security recommendations and best practices.
  • Privacy: No usage data of any kind is collected or shipped back to the orb developer.

Info for security teams:

  • Required external access to allow, if running a locked down, self-hosted CircleCI pipeline on-prem:
    • github.com: For download and installation of the Cosign tool using HTTPS.

Usage

Installation

Use the cosign-orb to handle installation of Cosign within your CircleCI pipeline without needing to create a custom base image. After installation, you can then use the cosign command anywhere within your job. Caching is supported if you want to prevent re-downloading Cosign on successive runs of your pipeline, though the download and installation are normally extremely fast.

version: 2.1

orbs:
  cosign: juburr/cosign-orb@0.6.2

parameters:
  cimg_base_version:
    type: string
    default: "current-22.04"
  cosign_version:
    type: string
    default: "2.4.1"

jobs:
  sign_container:
    docker:
      - image: cimg/base:<< pipeline.parameters.cimg_base_version >>
    steps:
      - checkout
      - cosign/install:
          caching: true
          verify_checksums: strict
          version: << pipeline.parameters.cosign_version >>
      - run:
          name: Run Custom Cosign Commands
          command: |
            # Use the cosign binary however you'd like here...
            cosign version

About

A simple CircleCI orb used to install Cosign and sign container images

Topics

circleci signatures signature-verification container-security circleci-orb docker-signatures supply-chain-security cosign sigstore

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 20

v0.6.2 Latest
Oct 11, 2024
+ 19 releases

Packages

No packages published

Languages