Cosign

How we use cosign in cos-toolkit

Cosign is a project that signs and verifies containers and stores the signatures on OCI registries.

You can check the cosign github repo for more information.

In cos-toolkit we sign every container that we generate as part of our publish process so the signature can be verified during package installation with luet or during deploy/upgrades from a deployed system to verify that the containers have not been altered in any way since their build.

Currently cosign provides 2 methods for signing and verifying.

private/public key
keyless

We use keyless signatures based on OIDC Identity tokens provided by github, so nobody has access to any private keys and can use them. (For more info about keyless signing/verification check here)

This signature generation is provided by luet-cosign which is a luet plugin that generates the signatures on image push when building, and verifies them on package unpack when installing/upgrading/deploying.

The process is completely transparent to the end user when upgrading/deploying a running system and using our published artifacts.

When using luet-cosign as part of luet install you need to set COSIGN_REPOSITORY=raccos/releases-green and COSIGN_EXPERIMENTAL=1 so it can find the proper signatures and use keyless verification

Note

Currently setting COSIGN_REPOSITORY value is due to quay.io not supporting OCI artifacts. It may be removed in the future and signatures stored along the artifacts.

Derivatives

If building a derivative, you can also sign and verify you final artifacts with the use of luet-cosign.

As keyless is only possible to do in an CI environment (as it needs an OIDC token) you would need to set up private/public signature and verification.

Note

If you are building and publishing your derivatives with luet on github, you can see an example on how we generate and push the keyless signatures ourselves on this workflow

Verify cos-toolkit artifacts as part of derivative building

If you consume cos-toolkit artifacts in your Dockerfile as part of building a derivative you can verify the signatures of the artifacts by setting:

ENV COSIGN_REPOSITORY=raccos/releases-green
ENV COSIGN_EXPERIMENTAL=1
RUN luet install -y meta/cos-verify # install dependencies for signature checking

Note

The

meta/cos-verify is a meta package that will pull

toolchain/cosign and

toolchain/luet-cosign .

And then making sure you call luet with --plugin luet-cosign. You can see an example of this in our standard Dockerfile example

That would verify the artifacts coming from our repository.

For signing resulting containers with a private/public key, please refer to the cosign documents.

For verifying with a private/public key, the only thing you need is to set the env var COSIGN_PUBLIC_KEY_LOCATION to point to the public key that signed and enable the luet-cosign plugin.

Note

Currently there is an issue in which if there is more than one repo and one of those repos is not signed the whole install will fail due to cosign failing to verify the unsigned repo.

If you are using luet with one or more unsigned repos, it’s not possible to use cosign to verify the chain.

Please follow up in https://github.com/rancher-sandbox/luet-cosign/issues/6 for more info.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified May 6, 2022 : Skip generating docs (d29a239)