New Chainguard Academy tutorial: Cosign the manual way
If you’re the type of person that needs to understand the ins and outs of tools, you’re in good company. I have always wanted to know what's going on under the hood. Not necessarily at the syscall level (though this is fun!), but deep enough for it not to be magic when things break. With more vulnerabilities and attacks popping up all over the software supply chain, it is clear that we need to bring more security practices into our software lifecycles. Unfortunately, a lot of tools are challenging or frustrating to implement. When I first used Cosign, the software artifact signing CLI from the Sigstore project, I was amazed at how painless signing and verifying could be. In just three commands in Cosign, you can create a public/private key pair, sign the text file, upload it to the Rekor transparency log and verify the signature of the message.
In a new Chainguard Academy tutorial released today, we dive deep into how to unpack Cosign the manual way. The tutorial starts simple and explores Cosign’s blob signing capabilities.
Blobs? Not that Blob–the 1958 drive-in smash (though it inspired the name), but an arbitrary collection of raw data like a picture or the executable binary that your source code produces. Cosign is capable of signing and verifying blobs. Spoiler: in the tutorial, we’ll be signing a spooky message.
Here’s a quick look at what you can expect to learn in the tutorial:
An overview of the tools you’ll need installed from your package manage of choice
How to generate a key pair using the RSA algorithm
Using keys to sign blob messages using SHA-256
How to upload signatures to the Rekor transparency log
How to trust, but also verify your blob message to your signature
If this post and our new Chainguard Academy tutorial has you craving for more you can watch this SigstoreCon talk on the Life of a Sigstore Signature. I'm also planning a follow-up blog and tutorial on how Cosign signs containers and stores signatures and attestations in OCI registries.
If you have any questions you can reach me @eddiezane!
Stay spooky…
Special thanks to Appu Goundan and Hayden Blauzvern.
Share this article
Related articles
- Open Source
Fork Yeah: We’re Bringing Kaniko Back
Priya Wadhwa, Senior Engineering Manager, Kim Lewandowski, Co-founder & CPO, and Dan Lorenc, Co-founder & CEO
- Open Source
Guardcraft: A Minecraft Java Server with Zero CVEs
Erika Heidi, Staff Developer Experience Engineer
- Open Source
Wolfi: a new paradigm in Linux for containers
Erika Heidi, Developer Experience Engineer
- Open Source
Kubeburned out? Navigating the world of Kubernetes without losing your spark
Carlos Panato, Staff Software Engineer and Sascha Grunert, Senior Software Engineer, Red Hat
- Open Source
Unlocking efficiency and security on GitLab: On-demand images with 0-CVE packages powered by Wolfi
Batuhan Apaydin and Furkan Türkal
- Open Source
VEXed? Then Grype about it: Chainguard and Anchore announce Grype supports OpenVEX
Adolfo Veytia, Alex Goodman, Dan Luhring, and John Speed Meyers