Learn how to sign artifacts with Cosign in an OVHcloud Managed Private Registry service.
OVHcloud Managed Private Registry service, a cloud-native registry built on Harbor, allows you to store, manage, and access your container images (OCI artifacts) and Helm charts.
Security is an important topic and through artifact signing and signature verification, you can increase the security of your OVHcloud Managed Private Registries by verifying the integrity of an artifact.
Since Harbor v2.5+ supports Cosign, an OCI (Open Container Initiative) artifact signing and verification solution that is part of the Sigstore project.
Compared to Notary, Cosign is easy to use and one advantage to use it is the ability to use Harbor’s replication capabilities to replicate signatures with their associated signed artifact.
Requirements
- an OVHcloud Managed Private Registry (version 2.6+)
- the URL and login/password of your private registry
- an image stored in your registry
This tutorial assumes that you already have a working OVHcloud Managed Private Registry and you have followed the guides on creating a private registry, connecting to the UI, managing users and projects, and creating and using private images.
You should also have a running Private Registry in version 2.6 minimum, with a stored image and access to your private registry.
Instructions
Installing Cosign CLI
You can install Cosign CLI on your computer from the binaries, a rpm package, HomeBrew, and even use it directly in a Github Action.
For this tutorial, you will install it via HomeBrew:
brew install cosign
Verify Cosign is successfully installed in your machine:
cosign version
The output should be like this:
$ cosign version ______ ______ _______. __ _______ .__ __. / | / __ \ / || | / _____|| \ | | | ,----'| | | | | (----`| | | | __ | \| | | | | | | | \ \ | | | | |_ | | . ` | | `----.| `--' | .----) | | | | |__| | | |\ | \______| \______/ |_______/ |__| \______| |__| \__| cosign: A tool for Container Signing, Verification and Storage in an OCI registry. GitVersion: 2.1.1 GitCommit: baf97ccb4926ed09c8f204b537dc0ee77b60d043 GitTreeState: "clean" BuildDate: 2023-06-27T06:57:11Z GoVersion: go1.20.5 Compiler: gc Platform: darwin/arm64
Generate a private key
Cosign allows you to generate a private key that you can use later to sign your images. You'll be interactively prompted to provide a password.
Generate a private key:
cosign generate-key-pair
The output should be like this:
$ cosign generate-key-pair Enter password for private key: Enter password for private key again: Private key written to cosign.key Public key written to cosign.pub
Sign your OCI artifact (container image)
Sign your image and push the signature to your OVHcloud Managed Private Registry instance.
cosign sign --key cosign.key <harbor-instance>/<project>/<image/path>:<image-tag>
The output should be like this:
$ cosign sign --key cosign.key xxxxxx.c1.va1.container-registry.ovh.us/library/hello-ovh:1.0.0
Enter password for private key:
WARNING: Image reference xxxxxx.c1.va1.container-registry.ovh.us/library/hello-ovh:1.0.0 uses a tag, not a digest, to identify the image to sign.
This can lead you to sign a different image than the intended one. Please use a
digest (example.com/ubuntu@sha256:abc123...) rather than tag
(example.com/ubuntu:latest) for the input to cosign. The ability to refer to
images by tag will be removed in a future release.
The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
This may include the email address associated with the account with which you authenticate your contractual Agreement.
This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.
By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N] y
tlog entry created with index: 30480064
Pushing signature to: xxxxxx.c1.va1.container-registry.ovh.us/library/hello-ovh
Verify the image is signed with Cosign
To verify if your image is well signed, log in to your private registry (in the Harbor UI), click in Projects, select your project, then your image and then you will see a new green check mark:
Clicking on the> icon displays the associated cosign signature information:
Go further
For more information and tutorials, please see our other Managed Private Registry support guides or explore the guides for other OVHcloud products and services.