1
0
Fork 0
mirror of https://github.com/imjasonh/shipwright-cosign-example synced 2026-07-15 04:35:35 +00:00
shipwright-cosign-example/README.md
2021-04-01 22:10:06 -04:00

84 lines
2.8 KiB
Markdown

# Demo: Using [`cosign`](https://github.com/sigstore/cosign) natively in [Shipwright](https://shipwright.io)
1. Install dependencies:
- latest Tekton release
- forked Shipwright with signing support, built from [this fork](https://github.com/imjasonh/build-1/tree/sign).
- the `kaniko` ClusterBuildStrategy
```
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
kubectl apply -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/shipwright-fork.yaml
kubectl apply -f https://raw.githubusercontent.com/shipwright-io/build/master/samples/buildstrategy/kaniko/buildstrategy_kaniko_cr.yaml
```
2. Set up auth:
- the `build-bot` ServiceAccount
- and `passphrase` Secret
- and registry secret to authorize image pushes
```
kubectl apply -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/sa.yaml
kubectl apply -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/secret.yaml
kubectl create secret generic dockerhub-dockerconfig \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
```
3. Define the Build:
```
kubectl apply -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/build.yaml
```
...then edit it to push to your Dockerhub user:
```
kubectl edit build kaniko-build
```
...and modify the `image`:
```
output:
image: index.docker.io/imjasonh/signed # <-- edit here
credentials:
name: dockerhub-dockerconfig
```
---
Up until this point, everything is the standard process for installing, setting up, and using Shipwright.
This Build, however, includes a new `.spec.sign` field, which describes how to sign the built image:
```
sign:
keyPath: cosign.key
passphrase:
name: passphrase
```
This tells Shipwright to use the [`cosign.key` in this repo](./cosign.key) to sign the built image.
The key is encrypted, and the Secret named `passphrase` specifies the passphrase to decrypt it.
---
4. Create a BuildRun to execute the Build:
```
kubectl create -f https://raw.githubusercontent.com/ImJasonH/shipwright-cosign-example/main/buildrun.yaml
```
5. Finally, verify the image is signed, using [the public key](./cosign.pub):
```
$ cosign verify -key cosign.pub imjasonh/signed # <-- your image here
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
- WARNING - THE CERTIFICATE EXPIRY WAS NOT CHECKED. set COSIGN_EXPERIMENTAL=1 to check!
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:c2e2943023baf0ccbe96db5bf21dc5e181bc597e7d5afb87750611ae10615a66"},"Type":"cosign container signature"},"Optional":null}
```
:tada: