github.com/venafi-iw/cosign@v1.3.4/FUN.md (about) 1 # Fun Tips And Tricks! 2 3 ## Signing Git Commits - Three Ways! 4 5 You thought Git signatures were always GPG? 6 Think again! 7 8 ### Easy Mode 9 10 Sign the commits and store the signatures and public keys somewhere else. 11 12 ``` 13 $ ./cosign sign-blob --key cosign.key <(git rev-parse HEAD) 14 Using payload from: /dev/fd/63 15 Enter password for private key: 16 MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM= 17 $ git rev-parse HEAD 18 455d1988360dcfdcf0fa17b0736fbbc33b4924c0 19 $ ./cosign verify-blob --key cosign.pub --signature MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM= <(git rev-parse HEAD) 20 Verified OK 21 ``` 22 23 ### Medium Mode 24 25 Store the signature in the repo as notes, store the public key somewhere else. 26 27 ``` 28 $ ./cosign sign-blob --key cosign.key <(git rev-parse HEAD) 29 Using payload from: /dev/fd/63 30 Enter password for private key: 31 MEQCIHXN31pDrZBxs+m/HrcFruavv++oMc+pBZKgl7Hps9jjAiA9QE5uzpFNC5SGpdr4TJuCwh47C24Hwt4yHICae0J1bw== 32 $ git notes add -m "MEQCIHXN31pDrZBxs+m/HrcFruavv++oMc+pBZKgl7Hps9jjAiA9QE5uzpFNC5SGpdr4TJuCwh47C24Hwt4yHICae0J1bw==" HEAD 33 $ ./cosign verify-blob --key cosign.pub --signature <(git notes show HEAD) <(git rev-parse HEAD) 34 Verified OK 35 ``` 36 37 38 ### Hard Mode 39 40 Store the signature in the Transparency Log, and store the public key somewhere else. 41 42 ``` 43 $ COSIGN_EXPERIMENTAL=1 ./cosign sign-blob --key cosign.key <(git rev-parse HEAD) 44 Using payload from: /dev/fd/63 45 Enter password for private key: 46 MEYCIQDWX6RjU0Z2ynd1CdiAwo/JaC2Z5+vdx8H5spuDNu/r5wIhAPnP+87+knFEwbE8FgeXCrgkjWal3aBsNR3IVaBDT2XU 47 tlog entry created with index: 1224 48 ``` 49 50 Now find it from the log: 51 52 ``` 53 $ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD) | tail -n 1) 54 $ sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.content) 55 $ cosign verify-blob --key cosign.pub --signature <(echo $sig) <(git rev-parse HEAD) 56 Verified OK 57 ``` 58 59 You can also get the public key from the log: 60 ``` 61 $ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD) | tail -n 1) 62 $ sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.content) 63 $ pubKey=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.publicKey.content) 64 $ cosign verify-blob -key <(echo $pubKey | base64 --decode) --signature <(echo $sig) <(git rev-parse HEAD) 65 ``` 66 67 ### Level 11 68 69 Store the signature in the Transparency Log and don't store the keys anywhere. 70 71 ``` 72 $ COSIGN_EXPERIMENTAL=1 ./cosign sign-blob <(git rev-parse HEAD) 73 Using payload from: /dev/fd/63 74 Generating ephemeral keys... 75 Retrieving signed certificate... 76 Your browser will now be opened to: 77 https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=fJXMfR2VOiudrU2X1kP4UUSf3v33yyl3o2IexzIaEdc&code_challenge_method=S256&nonce=1zkBCegjVlHrfXywXu3lsT0RVP7&redirect_uri=http%3A%2F%2Flocalhost%3A5556%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=1zkBCehKiBjIMt1J2hcTYhBae9s 78 Successfully verified SCT... 79 signing with ephemeral certificate: 80 -----BEGIN CERTIFICATE----- 81 MIICeDCCAf6gAwIBAgIUAPcTDhgn++dgD7008s+TuiLwUgcwCgYIKoZIzj0EAwMw 82 KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y 83 MTEwMTkyMjIxMjZaFw0yMTEwMTkyMjQxMjVaMAAwWTATBgcqhkjOPQIBBggqhkjO 84 PQMBBwNCAASkOb5x7wCiyBLs7Q0ehqD31U6Lr+x0kH9WDcp5ONm7WBeGTAyth5Rz 85 gJBpkVtv/UzgF5BNKUfEVtm8pal7sZBso4IBKjCCASYwDgYDVR0PAQH/BAQDAgeA 86 MBMGA1UdJQQMMAoGCCsGAQUFBwMDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAP3 87 +cBsWpnLMQvm0Tv6qCVQ0PYiMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2uSu1K 88 BtPsMIGNBggrBgEFBQcBAQSBgDB+MHwGCCsGAQUFBzAChnBodHRwOi8vcHJpdmF0 89 ZWNhLWNvbnRlbnQtNjAzZmU3ZTctMDAwMC0yMjI3LWJmNzUtZjRmNWU4MGQyOTU0 90 LnN0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vY2EzNmExZTk2MjQyYjlmY2IxNDYvY2Eu 91 Y3J0MCEGA1UdEQEB/wQXMBWBE3ByaXlhdzgxOUBnbWFpbC5jb20wCgYIKoZIzj0E 92 AwMDaAAwZQIxAL2tZYELi3hGJS8sGTCGPKz83brdM4aak0v+SMMQGnyas7bY7tdm 93 DoyAJmxwWx2ntQIwPyM1A5nE+f2Pg9CkQqyZEFS2sxQTdKBmQzODDn6GqVTJ7agN 94 2djlcXFUJb1xFwO5 95 -----END CERTIFICATE----- 96 97 tlog entry created with index: 782549 98 MEUCIGi9CuxAceEcNkGLani2i3GdMgbl4bkGLILDhjh8n7DAAiEAhRwgfXMhnXyB38EZtOZX7fwtJBaSetMM88mZyYsV0pM= 99 ``` 100 101 Now find it from the log: 102 103 ``` 104 $ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD) | tail -n 1) 105 $ sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.content) 106 $ cert=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.publicKey.content) 107 108 $ cosign verify-blob --cert <(echo $cert | base64 --decode) --signature <(echo $sig) <(git rev-parse HEAD) 109 Certificate is trusted by Fulcio Root CA 110 Email: [your-email@yay.com] 111 Verified OK 112 ```