Każdy kontener zgodny z OCI uruchomimy na każdym zgodnym klastrze kubernetesa
$ cosign verify --key cosign.pub x.artf.com/fajfer/image:exmpl
The following checks were performed on these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker
-manifest-digest":"sha256:87ef60f558bad79beea6425a3b28989f01dd41
7164150ab3baab98dcbf04def8"},"Type":"cosign container image sign
ature"},"Optional":null}
$ cosign verify --key cosign.pub x.artf.com/fajfer/image:exmpl
Error: no matching signatures:
main.go:52: error during command execution: no matching signatu
res:
audit
oraz enforce
W obu przypadkach możemy postawić instancję self-hosted, jak i skorzystać z publicznie dostępnych
The Rekor UUID for this release is 108e9186e8c5677a294d223044005f4caffd3b6b20afcfcc96849fd9b2cdbcb170ca741ab440fb83
Obtain the attestation:
REKOR_UUID=108e9186e8c5677a294d223044005f4caffd3b6b20afcfcc96849fd9b2cdbcb170ca741ab440fb83
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation
| jq .
Verify that all container images in the attestation are in the release file:
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.62.4/release.yaml
REKOR_UUID=108e9186e8c5677a294d223044005f4caffd3b6b20afcfcc96849fd9b2cdbcb170ca741ab440fb83
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" \
--format json | jq -r .Attestation | jq -r '.subject[]|.name
+ ":v0.62.4@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" \
|| echo " ===> no match";
done