Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

depr: deprecation note for examples.md docs #2899

Merged
merged 1 commit into from
Apr 13, 2023
Merged

depr: deprecation note for examples.md docs #2899

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 1 addition & 92 deletions EXAMPLES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,92 +1 @@
# Other cosign examples

## GCP KMS with `gcloud`

Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosign` to upload it.

```shell
$ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json
$ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central
# We have to base64 encode the signature
$ cat gcpkms.sig | base64 | cosign attach signature --payload payload.json --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
```

Now (on another machine) download the public key, payload, signatures and verify it!

```shell
$ cosign download signature us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > signatures.json
# There could be multiple signatures, let's pretend it's the last one.
# Extract the payload and signature, base64 decoding them.
$ cat signatures.json | tail -1 | jq -r .Payload | base64 -D > payload
$ cat signatures.json | tail -1 | jq -r .Base64Signature | base64 -D > signature
# Now download the public key
$ gcloud kms keys versions get-public-key 1 --key=foo --keyring=foo --location=us-central1 > pubkey.pem
# Verify in openssl
$ openssl dgst -sha256 -verify pubkey.pem -signature gcpkms.sig payload
```

## Sign With OpenSSL, Verify With Cosign

```shell
# Generate a keypair
$ openssl ecparam -name prime256v1 -genkey -noout -out openssl.key
$ openssl ec -in openssl.key -pubout -out openssl.pub
# Generate the payload to be signed
$ cosign generate us.gcr.io/dlorenc-vmtest2/demo > payload.json
# Sign it and convert to base64
$ openssl dgst -sha256 -sign openssl.key -out payload.sig payload.json
$ cat payload.sig | base64 > payloadbase64.sig
# Upload the signature
$ cosign attach signature --payload payload.json --signature payloadbase64.sig us.gcr.io/dlorenc-vmtest2/demo
# Verify!
$ cosign verify --key openssl.pub us.gcr.io/dlorenc-vmtest2/demo
Verification for us.gcr.io/dlorenc-vmtest2/demo --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- The code-signing certificate was verified using trusted certificate authority certificates
{"critical":{"identity":{"docker-reference":"us.gcr.io/dlorenc-vmtest2/demo"},"image":{"docker-manifest-digest":"sha256:124e1fdee94fe5c5f902bc94da2d6e2fea243934c74e76c2368acdc8d3ac7155"},"type":"cosign container image signature"},"optional":null}
```

## AWS KMS with `aws`

Use `aws` (CLI version 2) to create a CMK for sign and verification (just need this once):

```shell
$ export AWS_CMK_ID=$(aws kms create-key --customer-master-key-spec RSA_4096 \
--key-usage SIGN_VERIFY \
--description "Cosign Signature Key Pair" \
--query KeyMetadata.KeyId --output text)
```

Use `cosign` to generate the payload, sign it with `aws kms`, then use `cosign` to upload it.

```shell
$ cosign generate docker.io/davivcgarcia/hello-world:latest > payload.json

$ aws kms sign --key-id $AWS_CMK_ID \
--message file://payload.json \
--message-type RAW \
--signing-algorithm RSASSA_PKCS1_V1_5_SHA_256 \
--output text \
--query Signature > payload.sig

$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig) --payload payload.json
```

Now (on another machine) use the `cosign` to download signature bundle, extract payload and signature value, and verify it with `aws kms`!

```shell
$ cosign download signature docker.io/davivcgarcia/hello-world:latest > signatures.json

$ cat signatures.json | tail -1 | jq -r .Base64Signature | base64 -D > remote_payload.sig
$ cat signatures.json | tail -1 | jq -r .Payload | base64 -D > remote_payload.json

$ aws kms verify --key-id $AWS_CMK_ID \
--message file://remote_payload.json \
--message-type RAW \
--signing-algorithm RSASSA_PKCS1_V1_5_SHA_256 \
--signature fileb://remote_payload.sig \
--output text \
--query SignatureValid
```
> Note of deprecation: This document has been migrated and merged into into [`sigstore/docs`](https://github.com/sigstore/docs/blob/main/content/en/cosign/sign.md) as part of [documentation migration](https://github.com/sigstore/cosign/issues/822) and PR: https://github.com/sigstore/docs/pull/123. To view the live docs page, go to: https://docs.sigstore.dev/cosign/sign/#generate-the-signature-payload-with-cosign-to-sign-with-another-tool