search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.27k stars 516 forks source link

How to run cosign in docker container from Dockerfile #2329

Closed S0b1t closed 1 year ago

S0b1t commented 1 year ago

Hi!

I am new to Harbor, there is a Dockerfile in the project repository. From this Dockerfile, I built a cosign image with the command:

docker build -t cosign:v1.0.0 .

and than i ran the image with command:

docker run -d --name cosign-harbor --net harbor_harbor cosign:v1.0.0

container didn't run, am i did something wrong? How to run cosign in docker container from Dockerfile?

The second question is after run docker container how should i run commands cosign sign --key and cosign verify --key ? Like give command from inside docker container or something like that?

znewman01 commented 1 year ago

Sorry we're just now getting to this! Why are you trying to run Cosign inside of Docker? We'd typically recommend that you install it on your local machine: https://docs.sigstore.dev/cosign/installation/

I am new to Harbor, there is a Dockerfile in the project repository.

Which Dockerfile are you referring to? There's no Dockerfile in the Cosign repository, or in the root for https://github.com/goharbor/harbor

For quick, one-off questions like this, I recommend the Sigstore Slack—we'll be much more responsive. Sorry again!

S0b1t commented 1 year ago

Hi ! Thanks for the response!

It was a helpful https://docs.sigstore.dev/cosign/installation/

I configured it on my local VM !

yiakwy commented 1 year ago

@znewman01 Hi I just get into this issue when I try to cosign the image inside the docker:

nstall_cosign() {
    docker build -t cosign-test --no-cache \
    --build-arg USER_UID=`id -u` \
    --build-arg USER_GID=`id -g` \
    --build-arg USER_NAME=`id -un` -<<EOF
FROM yiakwy/cosign:v1.13.0 as cosign-bin

# Source: https://github.com/chainguard-images/static
FROM cgr.dev/chainguard/static:latest
COPY --from=cosign-bin /ko-app/cosign /usr/local/bin/cosign
ENTRYPOINT [ "cosign" ]
EOF
}

exist() {
   local tag=$1
   [[ "$(docker image inspect $tag 2> /dev/null)" != "" ]]
}

create_cosign_key() {
    local cosign_user=root
    set -x
    docker run -it --privileged --ulimit memlock=-1:-1 --net=host --cap-add=IPC_LOCK --ipc=host -v $(readlink -f `pwd`):/home/$cosign_user -u $cosign_user --rm --workdir /home/$cosign_user cosign-test:latest generate-key-pair --output-file /home/$cosign_user/cosign.log
    set +x
}

cosignit() {
    local cosign_user=root
    set -x
    docker run -it --privileged --ulimit memlock=-1:-1 --net=host --cap-add=IPC_LOCK --ipc=host -v $(readlink -f `pwd`):/home/$cosign_user -u $cosign_user --rm --workdir /home/$cosign_user cosign-test:latest sign --key cosign.key "$@" --allow-insecure-registry --upload=false --output-file /home/$cosign_user/cosign.log
    set +x
}

main() {
    exist cosign-test:latest || (echo "install cosign ..." && install_cosign)
    cosignit "$@"
}

main "$@"

cosign key can be generated correctly in host from the docker. But The docker has troubles to sign it. I try to cosign login, it seems verbosely, the only feedback is

auth.go:191: logged in via /root/.docker/config.json

So I cannnot tell whether there is network a problem.

But when I sign with generated cosign key with `upload=true', I will get UNAUTHROISED error.