Releases: dlorenc/signed-container
Releases · dlorenc/signed-container
The second signed container!
This release contained a few workflow changes:
- The image now uses the GITHUB_TOKEN authentication system for ghcr.io, instead of DockerHub
- The image is now built with the official cosign-installer GitHub action: github.com/sigstore/cosign-installer
The first ever cosigned container release.
Try me out! The public key to verify this container is stored in the root of this repo (cosign.pub
).
For rotation: we can just change the key in the repo before triggering new builds. The git commit is stored in the signed portion as well, allowing you to be sure which commit the container was built at.
$ cosign verify -key cosign.pub dlorenc/signed-container:v0.0.1 | jq .
The following checks were performed on these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
{
"Critical": {
"Identity": {
"docker-reference": ""
},
"Image": {
"Docker-manifest-digest": "sha256:b5d83b473776186d1b3670433d759c786ec413aacf46c5fad606b11043d0368d"
},
"Type": "cosign container signature"
},
"Optional": {
"git_sha": "a5525b0df6fb6683cd2a01e01dfb0c92252b1b65"
}
}
You can even verify the tag and commit using the -a
flag to verify, passing in the git_sha
and git_tag
values:
$ cosign verify -a git_tag=v0.0.1 -a git_sha=$(git rev-parse v0.0.1) -key cosign.pub dlorenc/signed-container:v0.0.1
The following checks were performed on these signatures:
- The specified annotations were verified.
- The cosign claims were validated
- The signatures were verified against the specified public key
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:b5d83b473776186d1b3670433d759c786ec413aacf46c5fad606b11043d0368d"},"Type":"cosign container signature"},"Optional":{"git_sha":"a5525b0df6fb6683cd2a01e01dfb0c92252b1b65","git_tag":"v0.0.1"}}