SIGSTORE-COSIGN
Sigstore Cosign keyless OIDC container signing.
Définition
Cosign workflow keyless : (1) Build CI workflow obtains OIDC token (GitHub Actions workflow OIDC token via id-token: write permission, GoogleCloudBuild workload identity, etc.). (2) Cosign sign command : envoie OIDC token + signature ephemeral key vers Fulcio Certificate Authority Sigstore. (3) Fulcio CA issues short-lived X509 certificate (10-minute validity) binding ephemeral key to OIDC identity (e.g., 'github-actions://kubernetes/kubernetes@main'). (4) Cosign signs OCI image digest via ephemeral key + certificate. (5) Cosign uploads signature + certificate to Rekor transparency log (immutable append-only Sigstore-hosted Merkle tree). (6) Signature + certificate attached to OCI image via OCI registry referrers API. Verification : cosign verify command queries Rekor for signature + verifies via Fulcio root CA cert + verifies OIDC issuer matches expected identity. Tools : cosign CLI, sigstore-go library, sigstore-python, cosign Helm chart, Kyverno admission controller verify, Kubernetes admission webhooks integration. Key-based legacy mode (cosign generate-key-pair) still supported.
Origine
Sigstore announce mars 2021 par Linux Foundation + Red Hat + Google + Purdue University ; Cosign initial release 2021 ; Sigstore CNCF Sandbox 2022 + Incubating 2023 ; ~90% supply chain signing adoption OSS 2024.
Exemple en contexte
Kubernetes release v1.30.0 build via Prow CI : cosign sign --identity-token (GitHub OIDC) container images kubernetes/kube-apiserver:v1.30.0 keyless, Fulcio issues cert binding 'github-actions://kubernetes-release-bot@main', Rekor log entry uuid; end users verify cosign verify --certificate-identity 'github-actions://...' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'.
Termes liés
- Sigstore Fulcio — Certificate Authority.