Signed container images can be created with SignServer together with Cosign. A signed container image allows you to verify where an image came from, to ensure it was not tampered with and that only trusted images are pulled into your systems.
A container signature identifies and authenticates who signed the image and carries a signed payload in a JSON file that identifies the signed image.
Cosign is a tool for container signing and verification from the Sigstore project of the Linux foundation. It allows storing signatures alongside an image or artifact in the Open Container Initiative (OCI) registry. By combining Cosign with SignServer, you get the addition of centralized signing, secure key management, and a way to harmonize signing processes. For more information about Cosign, see the Cosign documentation.
To sign a container image, you first use Cosign to generate a payload containing the digest of the container image. Then, use SignServer to sign the payload and finally attach the signed payload to the container image in the registry using Cosign.
Cosign can later be used to verify that the digest of the signature payload matches the digest of the container image that the signature attached to.
The following video tutorial will demonstrate how you can use SignServer to sign a payload generated by Cosign and use Cosign to verify the signed container image.
Check out the supplementary documentation that goes hand-in-hand with our tutorial video.
Get your hands on the SignServer Docker container by downloading it now from Docker Hub.
Take a peek at our tutorial video on YouTube, and browse through some of our other videos as well.
Join our discussions to ask questions and share ideas.