If you’re the type of person that needs to understand the ins and outs of tools, you’re in good company. I have always wanted to know what's going on under the hood. Not necessarily at the syscall level (though this is fun!), but deep enough for it not to be magic when things break. With more vulnerabilities and attacks popping up all over the software supply chain, it is clear that we need to bring more security practices into our software lifecycles. Unfortunately, a lot of tools are challenging or frustrating to implement. When I first used Cosign, the software artifact signing CLI from the Sigstore project, I was amazed at how painless signing and verifying could be. In just three commands in Cosign, you can create a public/private key pair, sign the text file, upload it to the Rekor transparency log and verify the signature of the message.
In a new Chainguard Academy tutorial released today, we dive deep into how to unpack Cosign the manual way. The tutorial starts simple and explores Cosign’s blob signing capabilities.
Blobs? Not that Blob–the 1958 drive-in smash (though it inspired the name), but an arbitrary collection of raw data like a picture or the executable binary that your source code produces. Cosign is capable of signing and verifying blobs. Spoiler: in the tutorial, we’ll be signing a spooky message.
Here’s a quick look at what you can expect to learn in the tutorial:
If this post and our new Chainguard Academy tutorial has you craving for more you can watch this SigstoreCon talk on the Life of a Sigstore Signature. I'm also planning a follow-up blog and tutorial on how Cosign signs containers and stores signatures and attestations in OCI registries.
If you have any questions you can reach me @eddiezane!