Required to create these secrets in github actions setup:
Cosign_key is the private key
Cosign_pub_key the public one (for use in validation process)
Cosign_password is the password for the private key
Docker token and username for dockerhub repo.
You should create your keys with cosign generate-key-pair
You will be challenged for setting a password for the private key (that is going to be the value of your cosign_password secret)
Then you will get 2 files, cosign.key and cosign.pub.
Assign those values to the secrets, and make public the cosign.pub (adding to your repo in git, so people can access it for own validation).
Since cosign advices to avoid signing based on tags, then we are signing images based on digest.
Once pulled in repo, signing procedure is executed and cosign adds a .sig file into the dockerhub repo, which is used for validation. If the sig file for a digest is removed, then image wont be recognized as signed.
You can validate images in this way:
cosign verify --key cosign.pub jemacchi/geoserver-cloud-wms:1.9-SNAPSHOT
Required to create these secrets in github actions setup:
Cosign_key is the private key Cosign_pub_key the public one (for use in validation process) Cosign_password is the password for the private key Docker token and username for dockerhub repo.
You should create your keys with cosign generate-key-pair You will be challenged for setting a password for the private key (that is going to be the value of your cosign_password secret) Then you will get 2 files, cosign.key and cosign.pub.
Assign those values to the secrets, and make public the cosign.pub (adding to your repo in git, so people can access it for own validation).
Since cosign advices to avoid signing based on tags, then we are signing images based on digest. Once pulled in repo, signing procedure is executed and cosign adds a .sig file into the dockerhub repo, which is used for validation. If the sig file for a digest is removed, then image wont be recognized as signed.
You can validate images in this way: cosign verify --key cosign.pub jemacchi/geoserver-cloud-wms:1.9-SNAPSHOT
IMPORTANT Note: do not confuse use of Cosign with Docker Content Trust (reference: https://snyk.io/blog/signing-container-images/ ).