github.com/venafi-iw/cosign@v1.3.4/EXAMPLES.md

github.com/venafi-iw/cosign@v1.3.4/EXAMPLES.md (about)

     1  # Other cosign examples
     2  
     3  ## GCP KMS with `gcloud`
     4  
     5  Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosign` to upload it.
     6  
     7  ```shell
     8  $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json
     9  $ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central
    10  # We have to base64 encode the signature
    11  $ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
    12  ```
    13  
    14  Now (on another machine) download the public key, payload, signatures and verify it!
    15  
    16  ```shell
    17  $ cosign download signature us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > signatures.json
    18  # There could be multiple signatures, let's pretend it's the last one.
    19  # Extract the payload and signature, base64 decoding them.
    20  $ cat signatures.json | tail -1 | jq -r .Payload | base64 -D > payload
    21  $ cat signatures.json | tail -1 | jq -r .Base64Signature | base64 -D > signature
    22  # Now download the public key
    23  $ gcloud kms keys versions get-public-key 1 --key=foo --keyring=foo --location=us-central1 > pubkey.pem
    24  # Verify in openssl
    25  $ openssl dgst -sha256 -verify pubkey.pem -signature gcpkms.sig payload
    26  ```
    27  ## Sign With OpenSSL, Verify With Cosign
    28  
    29  ```shell
    30  # Generate a keypair
    31  $ openssl ecparam -name prime256v1 -genkey -noout -out openssl.key
    32  $ openssl ec -in openssl.key -pubout -out openssl.pub
    33  # Generate the payload to be signed
    34  $ cosign generate us.gcr.io/dlorenc-vmtest2/demo > payload.json
    35  # Sign it and convert to base64
    36  $ openssl dgst -sha256 -sign openssl.key -out payload.sig payload.json
    37  $ cat payload.sig | base64 > payloadbase64.sig
    38  # Upload the signature
    39  $ cosign attach signature --payload payload.json --signature payloadbase64.sig us.gcr.io/dlorenc-vmtest2/demo
    40  # Verify!
    41  $ cosign verify --key openssl.pub us.gcr.io/dlorenc-vmtest2/demo
    42  Verification for us.gcr.io/dlorenc-vmtest2/demo --
    43  The following checks were performed on each of these signatures:
    44    - The cosign claims were validated
    45    - The signatures were verified against the specified public key
    46    - Any certificates were verified against the Fulcio roots.
    47  {"critical":{"identity":{"docker-reference":"us.gcr.io/dlorenc-vmtest2/demo"},"image":{"docker-manifest-digest":"sha256:124e1fdee94fe5c5f902bc94da2d6e2fea243934c74e76c2368acdc8d3ac7155"},"type":"cosign container image signature"},"optional":null}
    48  ```