Zum Inhalt springen
Produkte
Plattform
Developer Tools
Portal

Verifying authenticity with image signing

Diese Seite ist noch nicht in deiner Sprache verfügbar. Englische Seite aufrufen

In a sophisticated software supply chain, it is essential to verify an image’s authenticity (it was created by a trusted source) and integrity (it has not been altered). STACKIT Container Registry enables this through support for digital image signing, which provides a cryptographic guarantee of an image’s provenance.

The importance of image signing

Section titled “The importance of image signing”

Without image signing, organizations are vulnerable to supply chain attacks where a malicious actor could replace a legitimate image with a compromised version. Image signing mitigates this risk by attaching a digital signature to an image that can be verified at any point, most critically just before deployment.

Supported tools: cosign and notation

Section titled “Supported tools: cosign and notation”

STACKIT Container Registry supports content trust through integrations with two leading open-source signing tools:

  • Cosign: Part of the Linux Foundation’s Sigstore project, Cosign is a modern and user-friendly tool for signing and verifying OCI artifacts.
  • Notation: A project from the Notary Project (hosted by the CNCF), Notation is a CLI tool for signing and verifying OCI artifacts based on the Notary v2 specification.

Signing an image with cosign

Section titled “Signing an image with cosign”

The workflow involves using the Cosign CLI to generate a signature and push it to the registry, where it is stored alongside the image.

  1. Install Cosign and Generate a Key Pair:
    • Follow the official Cosign documentation to install the CLI.
    • Generate a public/private key pair using cosign generate-key-pair. This creates cosign.pub (public key) and cosign.key (private key).
  2. Sign the Image:
    • Ensure the image you want to sign has been pushed to STACKIT CR.
    • Use the cosign sign command, pointing to your private key and the full path to the image.
      Bash
  3. Viewing the Signature:
    • In the STACKIT CR UI, navigate to the signed artifact. The signature is stored as a linked accessory artifact.

Signing an image with notation

Section titled “Signing an image with notation”

The process with Notation is similar, focusing on certificates and trust policies.

  1. Install Notation and Generate a Test Certificate:
    • Install the Notation CLI.
    • For testing, generate a self-signed key and certificate pair. In production, use a certificate from a trusted Certificate Authority (CA).
      Bash
  2. Sign the Image:
    • Use the notation sign command with the full path to the image.
      Bash

Verifying signatures and enforcing policies

Section titled “Verifying signatures and enforcing policies”

The real security value comes from verifying signatures and enforcing policies based on them.

  • Verification: Both tools provide verify commands to check an image’s signature. For example, to verify with Cosign, you would use the public key:
    Bash
  • Policy Enforcement: A Project Admin can configure a project to enforce content trust, which blocks any attempt to pull an unsigned image. This creates a strict security gate, ensuring only verified and authentic images can be deployed.