Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: move cosign doc to website #1168

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
147 changes: 1 addition & 146 deletions plugins/verifier/cosign/README.md
Original file line number Diff line number Diff line change
@@ -1,146 +1 @@
# Cosign Verifier

This README outlines how this validation framework can be used to verify signatures generated using [cosign](https://github.com/sigstore/cosign/). The verifier is added as a plugin to the framework that uses [cosign](https://github.com/sigstore/cosign/) packages to invoke the verification of an image. Cosign verifier works with remote registry that can provide cosign related artifacts linked as specially formatted tag to the subject artifact. It also is compatible with OCI 1.1 supported Cosign which pushes the signature OCI Image as a referrer to the subject image. (Note: this is currently experimental for cosign) It works only with [oras](../../pkg/referrerstore/oras) referrer store plugin that uses the OCI registry API to discover and fetch the artifacts.

## Fallback in OCIRegistry store
A configuration flag called `cosignEnabled` is introduced to the plugin configuration. If this flag is enabled, the `ListReferrers` API will attempt to query for the cosign signatures for a subject in addition to the references queried using `referrers API`. If `cosignEnabled` is `false`, then only OCI 1.1 compatible Cosign signatures will be considered. All the cosign signatures are returned as the reference artifacts with the artifact type `application/vnd.dev.cosign.artifact.sig.v1+json` This option will enable to verify cosign signatures against any registry including the ones that don't support the [notaryproject](https://github.com/notaryproject)'s `referrers` API.

# Signing
Please refer cosign documentation on how to sign an image using cosign using [key-pair based signatures]((https://github.com/sigstore/cosign/blob/main/USAGE.md) and [keyless signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md).

# Verification

## Key-pair based verification
This section outlines how to use `ratify` to verify the signatures signed using key pairs.

Following is an example `ratify` config with cosign verifier. Please note the `key` refers to the public key generated by `cosign generate-key-pair` command. It is used to verify the signature signed by cosign.

### Configuration

```json
{
"store": {
"version": "1.0.0",
"plugins": [
{
"name": "oras",
"cosignEnabled": true
}
]
},
"policy": {
"version": "1.0.0",
"plugin": {
"name": "configPolicy",
"artifactVerificationPolicies": {
"application/vnd.dev.cosign.artifact.sig.v1+json": "any"
}
}
},
"verifier": {
"version": "1.0.0",
"plugins": [
{
"name":"cosign",
"artifactTypes": "application/vnd.dev.cosign.artifact.sig.v1+json",
"key": "/path/to/cosign.pub"
}
]
}
}
```

### Usage

```bash
$ ratify verify --config ~/.ratify/config.json --subject myregistry.io/example/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
{
"isSuccess": true,
"verifierReports": [
{
"subject": "myregistry.io/example/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4",
"isSuccess": true,
"name": "cosign",
"message": "cosign verification success. valid signatures found",
"artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json"
}
]
}
```

## Keyless Verification
This section outlines how to use `ratify` to verify the signatures signed using keyless signatures.

> [!WARNING]
> Cosign keyless verification may result in verification timeout due to Fulcio and Rekor server latencies

### Configuration

```json
{
"store": {
"version": "1.0.0",
"plugins": [
{
"name": "oras",
"cosignEnabled": true
}
]
},
"policy": {
"version": "1.0.0",
"plugin": {
"name": "configPolicy",
"artifactVerificationPolicies": {
"application/vnd.dev.cosign.artifact.sig.v1+json": "any"
}
}
},
"verifier": {
"version": "1.0.0",
"plugins": [
{
"name":"cosign",
"artifactTypes": "application/vnd.dev.cosign.artifact.sig.v1+json",
}
]
}
}
```

Please note that the `key` is not specified in the config. This is because the keyless verification uses ephemeral keys and certificates, which are signed automatically by the [fulcio](https://github.com/sigstore/fulcio) root CA. Signatures are stored in the [Rekor](https://github.com/sigstore/rekor) transparency log, which automatically provides an attestation as to when the signature was created.

Default Rekor transparency log URL is `https://rekor.sigstore.dev`. If using a custom Rekor transparency log instance, you can customize the Rekor URL using the `rekorURL` field.
Note: If `rekorURL` is not provided, transparency log verification is skipped.

```json
...
"verifier": {
"version": "1.0.0",
"plugins": [
{
"name":"cosign",
"artifactTypes": "application/vnd.dev.cosign.artifact.sig.v1+json",
"rekorURL": "https://rekor.sigstore.dev"
}
]
}
```

### Usage

```bash
$ ratify verify --config ~/.ratify/config.json --subject myregistry.io/example/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
{
"isSuccess": true,
"verifierReports": [
{
"subject": "myregistry.io/example/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4",
"isSuccess": true,
"name": "cosign",
"message": "cosign verification success. valid signatures found",
"artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json"
}
]
}
```
This document has been moved to https://ratify.dev/docs/1.0/external%20plugins/Verifier/cosign
Loading