SLE BCI Cosign Image

Signing OCI containers using Sigstore, based on the SLE Base Container Image.

Get Image
Digest:
sha256:03acb3e24de654ca544bbc4119cca6c4c5d0f982ba05d616fadad146f6605feb
03acb3e24
Repository:
registry.suse.com/suse/cosign:latest

SLE cosign

Support LevelSLSA Provenance: Available

Description

Cosign aims to make signatures management easy.

Cosign supports the following functionality:

  • Keyless signing with the Sigstore public good Fulcio certificate authority and Rekor transparency log (default)
  • Hardware and KMS signing
  • Signing with a Cosign-generated encrypted private/public keypair
  • Container signing, verification and storage in an OCI registry.
  • Bring-your-own public key infrastructure (PKI)

Usage

Verify a container image

To verify the image, specify a certificate subject and a certificate issuer using the --certificate-identity and --certificate-oidc-issuer flags:

$ podman run registry.suse.com/suse/cosign:2.2 \
    verify $IMAGE \
    --certificate-identity=$IDENTITY \
    --certificate-oidc-issuer=$OIDC_ISSUER

You can also provide a regex for the certificate identity and issuer flags, --certificate-identity-regexp and --certificate-oidc-issuer-regexp. For more information, see Keyless verification using OpenID Connect.

Verify a container image against a public key

The verify command returns 0 if at least one cosign-formatted signature for the image is found matching the public key. See the detailed usage below for information and caveats on other signature formats.

Valid payload is printed to stdout, in JSON format. Note that the signed payload includes the digest of the container image, which indicated that these detached signatures apply to the correct image.

$ podman run registry.suse.com/suse/cosign:2.2 verify --key cosign.pub $IMAGE_URI:1h
The following checks were performed on these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8"},"Type":"cosign container image signature"},"Optional":null}

For more use cases and information, refer to the sigstore cosign Quickstart.

Licensing

SPDX-License-Identifier: Apache-2.0

This documentation and the build recipe are licensed as Apache-2.0. The container itself contains various software components under various open source licenses listed in the associated Software Bill of Materials (SBOM).

This image is a tech preview. Do not use it for production. Your feedback is welcome. Please report any issues to the SUSE Bugzilla.

  • Image Data

    Last Built: 10 Dec 12:06 UTC

    Compressed Size: 41.7 MB

    Uncompressed Size: 122.5 MB

    Support Level: L3


  • Health Index
    A

    No vulnerabilities found

    Last Scan:

    2 days ago