github.com/venafi-iw/cosign@v1.3.4/EXAMPLES.md (about) 1 # Other cosign examples 2 3 ## GCP KMS with `gcloud` 4 5 Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosign` to upload it. 6 7 ```shell 8 $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json 9 $ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central 10 # We have to base64 encode the signature 11 $ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun 12 ``` 13 14 Now (on another machine) download the public key, payload, signatures and verify it! 15 16 ```shell 17 $ cosign download signature us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > signatures.json 18 # There could be multiple signatures, let's pretend it's the last one. 19 # Extract the payload and signature, base64 decoding them. 20 $ cat signatures.json | tail -1 | jq -r .Payload | base64 -D > payload 21 $ cat signatures.json | tail -1 | jq -r .Base64Signature | base64 -D > signature 22 # Now download the public key 23 $ gcloud kms keys versions get-public-key 1 --key=foo --keyring=foo --location=us-central1 > pubkey.pem 24 # Verify in openssl 25 $ openssl dgst -sha256 -verify pubkey.pem -signature gcpkms.sig payload 26 ``` 27 ## Sign With OpenSSL, Verify With Cosign 28 29 ```shell 30 # Generate a keypair 31 $ openssl ecparam -name prime256v1 -genkey -noout -out openssl.key 32 $ openssl ec -in openssl.key -pubout -out openssl.pub 33 # Generate the payload to be signed 34 $ cosign generate us.gcr.io/dlorenc-vmtest2/demo > payload.json 35 # Sign it and convert to base64 36 $ openssl dgst -sha256 -sign openssl.key -out payload.sig payload.json 37 $ cat payload.sig | base64 > payloadbase64.sig 38 # Upload the signature 39 $ cosign attach signature --payload payload.json --signature payloadbase64.sig us.gcr.io/dlorenc-vmtest2/demo 40 # Verify! 41 $ cosign verify --key openssl.pub us.gcr.io/dlorenc-vmtest2/demo 42 Verification for us.gcr.io/dlorenc-vmtest2/demo -- 43 The following checks were performed on each of these signatures: 44 - The cosign claims were validated 45 - The signatures were verified against the specified public key 46 - Any certificates were verified against the Fulcio roots. 47 {"critical":{"identity":{"docker-reference":"us.gcr.io/dlorenc-vmtest2/demo"},"image":{"docker-manifest-digest":"sha256:124e1fdee94fe5c5f902bc94da2d6e2fea243934c74e76c2368acdc8d3ac7155"},"type":"cosign container image signature"},"optional":null} 48 ```