Sign docker containers

[naveensrinivasan]

Background

Supply chain security is critical. Signing docker containers is one of the ways to ensure the image pushed to the registry is actually what was built.

https://github.com/sigstore/cosign provides a simple way to sign containers and the signature is stored in the OCI resgitry along with the image as an SHA

How to sign the container

• generate a keypair - https://github.com/sigstore/cosign#generate-a-keypair
• sign a container image and store that signature in the registry - https://github.com/sigstore/cosign#sign-a-container-and-store-the-signature-in-the-registry
• find signatures for a container image, and verify them against a public key - https://github.com/sigstore/cosign#verify-a-container-against-a-public-key

[naveensrinivasan]

The right thing to do is not have private keys (to sign) secured within any machine that could be compromised. It is a question of when and not if. The keyless is one the best options https://github.com/sigstore/cosign/blob/main/KEYLESS.md which helps in signing with keeping the private key in memory.

This along with https://github.com/github/roadmap/issues/249 OIDC provider by GitHub should allow automated signing without storing secrets within GitHub.

[naveensrinivasan]

https://security.googleblog.com/2021/09/distroless-builds-are-now-slsa-2.html