1. Home
  2. /
  3. Use cases
  4. /
  5. Sign container images with Cosign and SignServer

Sign container images with Cosign and SignServer

Signed container images can be created with SignServer together with Cosign. A signed container image allows you to verify where an image came from, to ensure it was not tampered with and that only trusted images are pulled into your systems.

hero-sub-2-white
Sigstore cosign logo

Cosign for container signing with SignServer

A container signature identifies and authenticates who signed the image and carries a signed payload in a JSON file that identifies the signed image.

Cosign is a tool for container signing and verification from the Sigstore project of the Linux foundation. It allows storing signatures alongside an image or artifact in the Open Container Initiative (OCI) registry. By combining Cosign with SignServer, you get the addition of centralized signing, secure key management, and a way to harmonize signing processes. For more information about Cosign, see the Cosign Documentation.

How to get started

To sign a container image, you first use Cosign to generate a payload containing the digest of the container image. Then, use SignServer to sign the payload and finally attach the signed payload to the container image in the registry using Cosign.

Cosign can later be used to verify that the digest of the signature payload matches the digest of the container image that the signature attached to.

The following video tutorial will demonstrate how you can use SignServer to sign a payload generated by Cosign and use Cosign to verify the signed container image.

We will show how to: 

  • Create signing key and CSR in SignServer
  • Issue signing certificate
  • Activate signing worker in SignServer
  • Create Docker container image
  • Create container signature payload with Cosign
  • Sign payload with SignServer
  • Attach signed payload to container with Cosign
  • Verify signed container image with Cosign

Prerequisites

  • This tutorial uses an Arch Linux installation and SignServer Community and EJBCA Community Docker containers.
  • In addition, before you begin with this tutorial, you need an instance of SignServer and EJBCA running.

 

Documentation

Tutorials/documentation

Documentation

Check out the supplementary documentation that goes hand-in-hand with our tutorial video.

Docker Hub

Get your hands on the SignServer Docker container by downloading it now from Docker Hub.

YouTube

Take a peek at our tutorial video on YouTube, and browse through some of our other videos as well.

Discussions

Join our discussions to ask questions and share ideas.

Related open-source projects

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

Check to consent to the use of Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

Check to consent to the use of Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data