Audit cosign output

[priyawadhwa]

Let's make sure output is accurate and informative for GA

[priyawadhwa]

Checked output for the following scenarios:

cosign save

cosign sign with a keypair

``` cosign sign -key cosign.key gcr.io/priya-chainguard/test WARNING: the flag -key is deprecated and will be removed in a future release. Please use the flag --key. Enter password for private key: Pushing signature to: gcr.io/priya-chainguard/test ```

cosign sign experimental

``` COSIGN_EXPERIMENTAL=1 cosign sign gcr.io/priya-chainguard/test Generating ephemeral keys... Retrieving signed certificate... Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=KCkO3LFfxff4nb9hSC5slWDTlmVanVP3L6BIEYyd-wQ&code_challenge_method=S256&nonce=26kyNRIp0rhUJyakmgepuscKxca&redirect_uri=http%3A%2F%2Flocalhost%3A57649%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=26kyNOFM1ZhHFy6hnuuMsIGGH43 Successfully verified SCT... tlog entry created with index: 1764717 Pushing signature to: gcr.io/priya-chainguard/test ```

cosign verify

cosign verify

``` cosign verify --key cosign.pub gcr.io/priya-chainguard/test Verification for gcr.io/priya-chainguard/test:latest -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [{"critical":{"identity":{"docker-reference":"gcr.io/priya-chainguard/test"},"image":{"docker-manifest-digest":"sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300"},"type":"cosign container image signature"},"optional":null}] ```

cosign verify - experimental

``` COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/priya-chainguard/test Verification for gcr.io/priya-chainguard/test:latest -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - Any certificates were verified against the Fulcio roots. ... ```

blobs

cosign sign-blob

``` cosign sign-blob --key cosign.key README.md Using payload from: README.md Enter password for private key: MEUCIBnaaXp6U50mtmu1NS80D/taqOXShonXhNmRKUx9GzwHAiEAxZ9KTcv9HS54vMYnz1TooeXkmoZ6H5XCPTN3ZNlzKG8= ```

cosign verify-blob

``` cosign verify-blob --key cosign.pub --signature=MEUCIBnaaXp6U50mtmu1NS80D/taqOXShonXhNmRKUx9GzwHAiEAxZ9KTcv9HS54vMYnz1TooeXkmoZ6H5XCPTN3ZNlzKG8= README.md Verified OK ```

cosign sign-blob - experimental

``` COSIGN_EXPERIMENTAL=1 cosign sign-blob README.md Using payload from: README.md Generating ephemeral keys... Retrieving signed certificate... Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=2XVZ7Ti-eGAIjMba0kzd6K66E8vfuy6mUPNLb14e2OU&code_challenge_method=S256&nonce=26l04cdGKteN4xYL0OGevAnE1O1&redirect_uri=http%3A%2F%2Flocalhost%3A57728%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=26l04a9ycpGPsbFmTNBx3IjU9z2 Successfully verified SCT... using ephemeral certificate: -----BEGIN CERTIFICATE----- MIICEzCCAZigAwIBAgIUAOi9DZxFzwp+zF/7LEp+Rdtt3+IwCgYIKoZIzj0EAwMw KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y MjAzMjIyMDU3NTdaFw0yMjAzMjIyMTA3NTZaMAAwWTATBgcqhkjOPQIBBggqhkjO PQMBBwNCAARX85tDVd9z79mdCqwWRrqewrUgbbzFOYd4tUIS2JKY9CeoNeF/L0DQ 8qqtw8wGxj0EA3JonD3IKOQ7GkEDQ0Z/o4HFMIHCMA4GA1UdDwEB/wQEAwIHgDAT BgNVHSUEDDAKBggrBgEFBQcDAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSZ3495 de0jhaT1jB3WlKAsvh0hFTAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF +jAiBgNVHREBAf8EGDAWgRRwcml5YUBjaGFpbmd1YXJkLmRldjApBgorBgEEAYO/ MAEBBBtodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20wCgYIKoZIzj0EAwMDaQAw ZgIxAMQXSUxpsCs71wWSbSHD+Hx4wJ8pWMUPNaE3bNDUzJBa7V5VpbsWRBWDQLYY hvEarQIxAK3qP0hFbhpRKPg7QjakFj+EAjr+BRnFwNNhDtYzm+wZMY3t5XorNoyS DVwR2HF7Vg== -----END CERTIFICATE----- tlog entry created with index: 1764952 MEUCIQC4b3H8ONOdW2GWH3eHq+WCblbnQx/F/BSgDU5gWhA8+QIgcZryjj8xFcMyIeMpUbc7vW/NNsB96PHIxq2Se3WCj1A= ```

8. cosign verify-blob - experimental

COSIGN_EXPERIMENTAL=1 cosign verify-blob README.md --signature MEUCIQC4b3H8ONOdW2GWH3eHq+WCblbnQx/F/BSgDU5gWhA8+QIgcZryjj8xFcMyIeMpUbc7vW/NNsB96PHIxq2Se3WCj1A=
tlog entry verified with uuid: "29c831359845b333a015136e19613ef5e5c741fb88f8dc9cf207cd772efeee38" index: 1764952
Verified OK

attestations

cosign verify-attestation

``` cosign verify-attestation --key ~/chains/tekton.pub gcr.io/tekton-releases/github.com/tektoncd/chains/cmd/controller:v0.8.0 Verification for gcr.io/tekton-releases/github.com/tektoncd/chains/cmd/controller:v0.8.0 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key ```

cosign attest - experimental

``` COSIGN_EXPERIMENTAL=1 cosign attest --predicate ./slsa-attestation --type slsaprovenance gcr.io/priya-chainguard/test Generating ephemeral keys... Retrieving signed certificate... Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=bPwrkWFi6GlxAAsTciTyZkFJs4qVdO-4JUXvP7E8l-Q&code_challenge_method=S256&nonce=26lEr5MWBdkYCGK3G6GOmTjk4RH&redirect_uri=http%3A%2F%2Flocalhost%3A58221%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=26lEqzzxbyZN9QjWzBp3G1gHMQb Successfully verified SCT... Using payload from: ./slsa-attestation tlog entry created with index: 1766365 ```

cosign verify-attestation - experimental

``` COSIGN_EXPERIMENTAL=1 cosign verify-attestation gcr.io/priya-chainguard/test Verification for gcr.io/priya-chainguard/test -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - Any certificates were verified against the Fulcio roots. Certificate subject: priya@chainguard.dev Certificate issuer URL: https://accounts.google.com ```

cosign tree

``` cosign tree gcr.io/priya-chainguard/test 📦 Supply Chain Security Related artifacts for an image: gcr.io/priya-chainguard/test └── 🔐 Signatures for an image tag: gcr.io/priya-chainguard/test:sha256-21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300.sig ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 ├── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 └── 🍒 sha256:6ff6404a43835dbee93b888af949ad8f92a7a6194b77f8b4c3e268484ed12a50 └── 📦 SBOMs for an image tag: gcr.io/priya-chainguard/test:sha256-21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300.sbom └── 💾 Attestations for an image tag: gcr.io/priya-chainguard/test:sha256-21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300.att ├── 🍒 sha256:308fd4ac7e6012cfdc57971feee43f389e3c4d1cabb8677ae0a97d936461a26c └── 🍒 sha256:31615cc85c73843f031a2ce61231611fd36ac71dc4d1240243e7b6d440640034 ```

cosign initialize

``` cosign initialize Root status: { "local": "/Users/priyawadhwa/.sigstore/root", "remote": "sigstore-tuf-root", "expiration": { "root.json": "11 May 22 19:09 UTC", "snapshot.json": "05 Apr 22 00:48 UTC", "targets.json": "11 May 22 19:10 UTC", "timestamp.json": "05 Apr 22 00:48 UTC" }, "targets": [ "artifact.pub", "ctfe.pub", "fulcio.crt.pem", "fulcio_v1.crt.pem", "rekor.pub" ] } ```

other commands

• cosign save and cosign load have no output.
• cosign download sbom/attestation/signature print out json output as expected
• cosign triangulate prints out the sig image as expected

[priyawadhwa]

TODOs:

• [ ] cosign clean should probably prompt the user before deleting everything