This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.
Software Signing
Software Signing
Software Signing
Software Signing
Software Signing
Software Signing
Software Signing
Software Signing
Software Signing
Why Sign Software?
Software signing verifies the origin and integrity of code. It ensures that artifacts haven't been tampered with and come from a trusted source.
GPG Signing
Traditional signing with PGP/GPG:
Generate GPG key
gpg --full-generate-key
gpg --armor --export "developer@example.com" > public.key
Sign artifacts
gpg --armor --detach-sign myapp.tar.gz
gpg --verify myapp.tar.gz.asc myapp.tar.gz
Sign git commits
git config commit.gpgsign true
git config user.signingkey KEY_ID
git commit -S -m "Signed commit"
Programmatic GPG verification
import gnupg
def verify_signature(artifact, signature_file):
gpg = gnupg.GPG()
with open(signature_file, "rb") as sf:
verified = gpg.verify_file(sf, artifact)
if verified.valid:
return {
"valid": True,
"fingerprint": verified.fingerprint,
"username": verified.username,
"timestamp": verified.timestamp
}
return {"valid": False}
Sigstore and cosign
Sigstore simplifies code signing with keyless options:
Keyless signing with cosign
cosign sign myregistry.io/myapp:latest
Sign with identity
cosign sign \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\--identity-token $GITHUB_TOKEN \
ghcr.io/myorg/myapp@sha256:abc123
Verify
cosign verify \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\--certificate-identity "developer@example.com" \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\--certificate-oidc-issuer "https://github.com/login/oauth" \
myregistry.io/myapp:latest
Cosign in CI pipeline
Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.
Found this useful? Check out more developer guides and tool comparisons on AI Study Room.
Top comments (0)