May 13, 2021

Written by Dan Lorenc

Cosign Image Signatures

The protocol and format explained! (Updated June 5th 2021) In my last post, I showed how cosign can be used to sign and verify container images today. In this post, I’ll explain how it works at each step of the way. Life of a Cosign Signature We’ll start with cosign generate-key-pair . This command creates an ECDSA-P256 key pair (a private and a public key). The public key bytes are encoded in a PKIX formatted file.

Tags:  sigstoreinfoseckubernetessecurity

May 11, 2021

Written by Dan Lorenc

Cosign — Signed Container Images

I’ve seen a lot of questions about signing container images in the last few months, and unfortunately there aren’t many great options or answers today. So I decided to write a simple tool called cosign. It can sign container images! Here’s what it looks like to use: You can get it installed and start signing containers in minutes. There are almost no configuration options, by design. There is only one supported signature algorithm (ECDSA-P256) and one payload format (Red Hat Simple Signing).

Tags:  sigstoregolangkubernetessecurity

May 1, 2021

Written by Dan Lorenc

A Safer curl | bash ?

This post is about using container registries (Docker registries, OCI registries, whatever you want to call them) for the storage and distribution of generic, non-container-related binary artifacts. I explain the reasoning below, but first: code and demos Demos! Here’s a quick walkthrough of a draft tool (still WIP!) to securely fetch published contents from an OCI registry, called sget. sgetis part of the sigstore project, and is a standalone client that allows you to retrieve scripts or binaries from any OCI registry.

Tags:  sigstoreinfosecgolangsoftwaresupplychain

Apr 23, 2021

Written by Dan Lorenc

Sigstore Project Update — April 2021

Photo by Brett Jordan on Unsplash Time flies in open source! This post provides a few updates on Sigstore since our last update in March. We’ve been lucky to continue welcoming new community members and contributors, with 39 contributors from over 15 companies and our Slack channel is rapidly approaching 300 members! Let’s jump into some more project updates: Rekor As mentioned above, the Rekor binary transparency log now natively supports signed JARs.

Tags:  sigstorecryptocontainerskubernetesdocker

Jan 25, 2021

Written by Dan Lorenc

SSH is the new GPG

Not really. But Kind of? Did you know that you probably already have a working PKI system for signing artifacts on your laptop today, with no keyservers, web-of-trust, or configuration? You can use it to sign files, and to find the public keys for other people and use them to verify files they signed. So why aren’t more people using this? I think it’s just gone overlooked because it’s a relatively new feature in apretty old piece of software.

Tags:  sigstoregithubopensourcesecurity