DEV Community

Alex Spinov
Alex Spinov

Posted on

Cosign Has a Free API: Sign and Verify Container Images Without GPG Complexity

#security #devops #containers #supplychain

Why Cosign Exists

Container supply chain attacks are real. Cosign by Sigstore makes signing and verifying container images dead simple — keyless signing with OIDC, no GPG key management headaches.

Install 

brew install cosign
# or
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
Enter fullscreen mode Exit fullscreen mode

Keyless Signing (Recommended) 

# Sign an image (opens browser for OIDC auth)
cosign sign ghcr.io/myorg/myapp:v1.0.0

# Verify the signature
cosign verify ghcr.io/myorg/myapp:v1.0.0 \
  --certificate-identity=dev@example.com \
  --certificate-oidc-issuer=https://accounts.google.com
Enter fullscreen mode Exit fullscreen mode

No keys to manage. Your identity is verified through Google, GitHub, or Microsoft OIDC.

Key-Based Signing 

# Generate a keypair
cosign generate-key-pair

# Sign with private key
cosign sign --key cosign.key ghcr.io/myorg/myapp:v1.0.0

# Verify with public key
cosign verify --key cosign.pub ghcr.io/myorg/myapp:v1.0.0
Enter fullscreen mode Exit fullscreen mode

Sign in CI/CD (GitHub Actions) 

name: Sign Image
on: push
jobs:
  sign:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      packages: write
    steps:
      - uses: sigstore/cosign-installer@main
      - name: Sign image
        run: cosign sign ghcr.io/${{ github.repository }}:${{ github.sha }}
        env:
          COSIGN_EXPERIMENTAL: 1
Enter fullscreen mode Exit fullscreen mode

Verify in Kubernetes with Kyverno 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-images
spec:
  rules:
    - name: verify-cosign
      match:
        any:
          - resources:
              kinds: ["Pod"]
      verifyImages:
        - imageReferences: ["ghcr.io/myorg/*"]
          attestors:
            - entries:
                - keyless:
                    subject: "*@myorg.com"
                    issuer: "https://accounts.google.com"
Enter fullscreen mode Exit fullscreen mode

Attach SBOMs to Images 

# Generate SBOM with Trivy
trivy image --format cyclonedx -o sbom.json ghcr.io/myorg/myapp:v1.0.0

# Attach SBOM to image
cosign attach sbom --sbom sbom.json ghcr.io/myorg/myapp:v1.0.0

# Verify SBOM attachment
cosign verify-attestation ghcr.io/myorg/myapp:v1.0.0
Enter fullscreen mode Exit fullscreen mode

Key Features

  • Keyless signing — OIDC-based, no key management
  • Transparency log — all signatures recorded in Rekor
  • SBOM attestation — attach and verify supply chain metadata
  • K8s policy — enforce signed images with Kyverno or OPA
  • Sigstore ecosystem — part of Linux Foundation

Resources

Need to audit container registries, verify image signatures, or extract supply chain data? Check out my Apify tools or email spinov001@gmail.com for custom solutions.

Top comments (0)