mirror of
https://github.com/imjasonh/shipwright-cosign-example
synced 2026-07-07 00:22:37 +00:00
3.1 KiB
3.1 KiB
Demo: Using cosign natively in Shipwright
- Install dependencies:
- latest Tekton release
- forked Shipwright with signing support, built from this fork.
- the
kanikoClusterBuildStrategy
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
kubectl apply -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/shipwright-fork.yaml
kubectl apply -f https://raw.githubusercontent.com/shipwright-io/build/master/samples/buildstrategy/kaniko/buildstrategy_kaniko_cr.yaml
- Set up auth:
- the
build-botServiceAccount - and
passphraseSecret - and registry secret to authorize image pushes
- the
kubectl apply -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/sa.yaml
kubectl apply -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/secret.yaml
kubectl create secret generic dockerhub-dockerconfig \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
- Define the Build:
This Build clones this repo, builds it using it Kaniko, and pushes it to DockerHub.
kubectl apply -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/build.yaml
By default, it's configured to push to my DockerHub user. Unless you're me, this won't work.
You'll want to edit the Build:
kubectl edit build kaniko-build
...and modify the image section to push to your user:
output:
image: index.docker.io/imjasonh/signed # <-- edit here
credentials:
name: dockerhub-dockerconfig
Up until this point, everything is the fairly standard process for installing, setting up, and using Shipwright.
This Build, however, includes a new .spec.sign section, which describes how to sign the built image:
sign:
keyPath: cosign.key
passphrase:
name: passphrase
This tells Shipwright to use the cosign.key in this repo to sign the built image.
The key is encrypted, and the Secret named passphrase specifies the passphrase to decrypt it.
- Create a BuildRun to execute the Build:
kubectl create -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/buildrun.yaml
- Finally, verify the image is signed, using the public key:
$ cosign verify -key cosign.pub imjasonh/signed # <-- your image here
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
- WARNING - THE CERTIFICATE EXPIRY WAS NOT CHECKED. set COSIGN_EXPERIMENTAL=1 to check!
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:c2e2943023baf0ccbe96db5bf21dc5e181bc597e7d5afb87750611ae10615a66"},"Type":"cosign container signature"},"Optional":null}
🎉