github.com/venafi-iw/cosign@v1.3.4/FUN.md

github.com/venafi-iw/cosign@v1.3.4/FUN.md (about)

     1  # Fun Tips And Tricks!
     2  
     3  ## Signing Git Commits - Three Ways!
     4  
     5  You thought Git signatures were always GPG?
     6  Think again!
     7  
     8  ### Easy Mode
     9  
    10  Sign the commits and store the signatures and public keys somewhere else.
    11  
    12  ```
    13  $ ./cosign sign-blob --key cosign.key <(git rev-parse HEAD)
    14  Using payload from: /dev/fd/63
    15  Enter password for private key:
    16  MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM=
    17  $ git rev-parse HEAD
    18  455d1988360dcfdcf0fa17b0736fbbc33b4924c0
    19  $ ./cosign verify-blob --key cosign.pub --signature MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM= <(git rev-parse HEAD)
    20  Verified OK
    21  ```
    22  
    23  ### Medium Mode
    24  
    25  Store the signature in the repo as notes, store the public key somewhere else.
    26  
    27  ```
    28  $ ./cosign sign-blob --key cosign.key <(git rev-parse HEAD)
    29  Using payload from: /dev/fd/63
    30  Enter password for private key:
    31  MEQCIHXN31pDrZBxs+m/HrcFruavv++oMc+pBZKgl7Hps9jjAiA9QE5uzpFNC5SGpdr4TJuCwh47C24Hwt4yHICae0J1bw==
    32  $ git notes add -m "MEQCIHXN31pDrZBxs+m/HrcFruavv++oMc+pBZKgl7Hps9jjAiA9QE5uzpFNC5SGpdr4TJuCwh47C24Hwt4yHICae0J1bw==" HEAD
    33  $ ./cosign verify-blob --key cosign.pub --signature <(git notes show HEAD) <(git rev-parse HEAD)
    34  Verified OK
    35  ```
    36  
    37  
    38  ### Hard Mode
    39  
    40  Store the signature in the Transparency Log, and store the public key somewhere else.
    41  
    42  ```
    43  $ COSIGN_EXPERIMENTAL=1 ./cosign sign-blob --key cosign.key <(git rev-parse HEAD)
    44  Using payload from: /dev/fd/63
    45  Enter password for private key:
    46  MEYCIQDWX6RjU0Z2ynd1CdiAwo/JaC2Z5+vdx8H5spuDNu/r5wIhAPnP+87+knFEwbE8FgeXCrgkjWal3aBsNR3IVaBDT2XU
    47  tlog entry created with index: 1224
    48  ```
    49  
    50  Now find it from the log:
    51  
    52  ```
    53  $ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD) | tail -n 1)
    54  $ sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.content)
    55  $ cosign verify-blob --key cosign.pub --signature <(echo $sig) <(git rev-parse HEAD)
    56  Verified OK
    57  ```
    58  
    59  You can also get the public key from the log:
    60  ```
    61  $ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD) | tail -n 1)
    62  $ sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.content)
    63  $ pubKey=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.publicKey.content)
    64  $ cosign verify-blob -key <(echo $pubKey | base64 --decode) --signature <(echo $sig) <(git rev-parse HEAD)
    65  ```
    66  
    67  ### Level 11
    68  
    69  Store the signature in the Transparency Log and don't store the keys anywhere.
    70  
    71  ```
    72  $ COSIGN_EXPERIMENTAL=1 ./cosign sign-blob <(git rev-parse HEAD)
    73  Using payload from: /dev/fd/63
    74  Generating ephemeral keys...
    75  Retrieving signed certificate...
    76  Your browser will now be opened to:
    77  https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=fJXMfR2VOiudrU2X1kP4UUSf3v33yyl3o2IexzIaEdc&code_challenge_method=S256&nonce=1zkBCegjVlHrfXywXu3lsT0RVP7&redirect_uri=http%3A%2F%2Flocalhost%3A5556%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=1zkBCehKiBjIMt1J2hcTYhBae9s
    78  Successfully verified SCT...
    79  signing with ephemeral certificate:
    80  -----BEGIN CERTIFICATE-----
    81  MIICeDCCAf6gAwIBAgIUAPcTDhgn++dgD7008s+TuiLwUgcwCgYIKoZIzj0EAwMw
    82  KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
    83  MTEwMTkyMjIxMjZaFw0yMTEwMTkyMjQxMjVaMAAwWTATBgcqhkjOPQIBBggqhkjO
    84  PQMBBwNCAASkOb5x7wCiyBLs7Q0ehqD31U6Lr+x0kH9WDcp5ONm7WBeGTAyth5Rz
    85  gJBpkVtv/UzgF5BNKUfEVtm8pal7sZBso4IBKjCCASYwDgYDVR0PAQH/BAQDAgeA
    86  MBMGA1UdJQQMMAoGCCsGAQUFBwMDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAP3
    87  +cBsWpnLMQvm0Tv6qCVQ0PYiMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2uSu1K
    88  BtPsMIGNBggrBgEFBQcBAQSBgDB+MHwGCCsGAQUFBzAChnBodHRwOi8vcHJpdmF0
    89  ZWNhLWNvbnRlbnQtNjAzZmU3ZTctMDAwMC0yMjI3LWJmNzUtZjRmNWU4MGQyOTU0
    90  LnN0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vY2EzNmExZTk2MjQyYjlmY2IxNDYvY2Eu
    91  Y3J0MCEGA1UdEQEB/wQXMBWBE3ByaXlhdzgxOUBnbWFpbC5jb20wCgYIKoZIzj0E
    92  AwMDaAAwZQIxAL2tZYELi3hGJS8sGTCGPKz83brdM4aak0v+SMMQGnyas7bY7tdm
    93  DoyAJmxwWx2ntQIwPyM1A5nE+f2Pg9CkQqyZEFS2sxQTdKBmQzODDn6GqVTJ7agN
    94  2djlcXFUJb1xFwO5
    95  -----END CERTIFICATE-----
    96  
    97  tlog entry created with index: 782549
    98  MEUCIGi9CuxAceEcNkGLani2i3GdMgbl4bkGLILDhjh8n7DAAiEAhRwgfXMhnXyB38EZtOZX7fwtJBaSetMM88mZyYsV0pM=
    99  ```
   100  
   101  Now find it from the log:
   102  
   103  ```
   104  $ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD) | tail -n 1)
   105  $ sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.content)
   106  $ cert=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.publicKey.content)
   107  
   108  $ cosign verify-blob --cert <(echo $cert | base64 --decode) --signature <(echo $sig) <(git rev-parse HEAD)
   109  Certificate is trusted by Fulcio Root CA
   110  Email: [your-email@yay.com]
   111  Verified OK
   112  ```