Cosign
This README outlines how this validation framework can be used to verify signatures generated using cosign. The verifier is added as a plugin to the framework that uses cosign packages to invoke the verification of an image. Cosign verifier works with remote registry that can provide cosign related artifacts linked as specially formatted tag to the subject artifact. It also is compatible with OCI 1.1 supported Cosign which pushes the signature OCI Image as a referrer to the subject image. (Note: this is currently experimental for cosign) It works only with oras referrer store plugin that uses the OCI registry API to discover and fetch the artifacts.
Fallback in OCIRegistry store
A configuration flag called cosignEnabled is introduced to the plugin configuration. If this flag is enabled, the ListReferrers API will attempt to query for the cosign signatures for a subject in addition to the references queried using referrers API. If cosignEnabled is false, then only OCI 1.1 compatible Cosign signatures will be considered. All the cosign signatures are returned as the reference artifacts with the artifact type application/vnd.dev.cosign.artifact.sig.v1+json This option will enable to verify cosign signatures against any registry including the ones that don't support the notaryproject's referrers API.
Signing
Please refer cosign documentation on how to sign an image using cosign using key-pair based signatures and keyless signatures.
Verification
Key-pair based verification
This section outlines how to use ratify to verify the signatures signed using key pairs.
Following is an example ratify config with cosign verifier. Please note the key refers to the public key generated by cosign generate-key-pair command. It is used to verify the signature signed by cosign.
Configuration
Kubernetes
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
name: verifier-cosign
spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
key: /path/to/cosign.pub
---
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Store
metadata:
name: store-oras
spec:
name: oras
parameters:
cacheEnabled: true
cosignEnabled: true
ttl: 10
CLI
{
"store": {
"version": "1.0.0",
"plugins": [
{
"name": "oras",
"cosignEnabled": true
}
]
},
"policy": {
"version": "1.0.0",
"plugin": {
"name": "configPolicy",
"artifactVerificationPolicies": {
"application/vnd.dev.cosign.artifact.sig.v1+json": "any"
}
}
},
"verifier": {
"version": "1.0.0",
"plugins": [
{
"name":"cosign",
"artifactTypes": "application/vnd.dev.cosign.artifact.sig.v1+json",
"key": "/path/to/cosign.pub"
}
]
}
}
Usage
$ ratify verify --config ~/.ratify/config.json --subject myregistry.io/example/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
{
"isSuccess": true,
"verifierReports": [
{
"subject": "myregistry.io/example/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4",
"isSuccess": true,
"name": "cosign",
"message": "cosign verification success. valid signatures found",
"extensions":
{
"signatures": [
{
"bundleVerified": false,
"isSuccess": true,
"signatureDigest": "sha256:abc123"
}
]
},
"artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json"
}
]
}
Keyless Verification
This section outlines how to use ratify to verify the signatures signed using keyless signatures.
[!WARNING] Cosign keyless verification may result in verification timeout due to Fulcio and Rekor server latencies
Configuration
Kubernetes
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
name: verifier-cosign
spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
rekorURL: https://rekor.sigstore.dev
---
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Store
metadata:
name: store-oras
spec:
name: oras
parameters:
cacheEnabled: true
cosignEnabled: true
ttl: 10
CLI
{
"store": {
"version": "1.0.0",
"plugins": [
{
"name": "oras",
"cosignEnabled": true
}
]
},
"policy": {
"version": "1.0.0",
"plugin": {
"name": "configPolicy",
"artifactVerificationPolicies": {
"application/vnd.dev.cosign.artifact.sig.v1+json": "any"
}
}
},
"verifier": {
"version": "1.0.0",
"plugins": [
{
"name":"cosign",
"artifactTypes": "application/vnd.dev.cosign.artifact.sig.v1+json",
"rekorURL": "https://rekor.sigstore.dev"
}
]
}
}
Please note that the key is not specified in the config. This is because the keyless verification uses ephemeral keys and certificates, which are signed automatically by the fulcio root CA. Signatures are stored in the Rekor transparency log, which automatically provides an attestation as to when the signature was created.
The rekorURL MUST be provided for keyless verification. Otherwise, signature validation will fail.
If using a custom Rekor transparency log instance, you can customize the Rekor URL using the rekorURL field.
Usage
$ ratify verify --config ~/.ratify/config.json --subject myregistry.io/example/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
{
"isSuccess": true,
"verifierReports": [
{
"subject": "myregistry.io/example/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4",
"isSuccess": true,
"name": "cosign",
"message": "cosign verification success. valid signatures found",
"extensions":
{
"signatures": [
{
"bundleVerified": true,
"isSuccess": true,
"signatureDigest": "sha256:abc123"
}
]
},
"artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json"
}
]
}