Initial local setup
Before you can use Cosign, you must complete local setup.
Install Cosign CLI
To begin signing and verifying images, install the Cosign CLI tool on your local machine. Detailed setup instructions for various operating systems can be found in the official Sigstore Cosign Installation Guide.
Configure CA certificates
You can skip this section and move on to Sign images that MKE can trust, if:
Your CA certificate is issued by a well-know root CA.
Your MSR is installed on the local machine and is configured as an insecure registry, although this is mostly a development and test configuration.
If the MSR is configured with a self-signed CA certificate, you must configure
the machine that runs the cosign or docker commands to trust the CA ,
certificate as detailed below.
Caution
If your remote MSR is configured as an insecure registry (using self-signed
certificates or plain HTTP), you must explicitly configure the Cosign client
to allow the connection. Cosign can respect the insecure-registries settings
defined in your Docker daemon.json file.
Alternatively, if you add the self-signed MSR CA certificate directly to
your operating system’s trusted root certificate store, the host will be
marked as secure and Cosign will communicate with it automatically without
requiring any extra insecure registry flags or daemon.json
configuration.
To configure your machine to trust a self-signed CA:
Create a certificate directory for the MSR host in the Docker configuration directory:
export MSR=<registry-hostname> mkdir -p ~/.docker/certs.d/${MSR}
Download the MSR CA certificate into the newly created directory:
curl -ks https://$MSR/ca > ~/.docker/certs.d/${MSR}/ca.crt
Restart the Docker daemon.
Verify that you do not receive certificate errors when accessing MSR using the Docker CLI by running
docker login ${MSR}.Create a symlink between the
certs.dandtlsdirectories:ln -s certs.d ~/.docker/tls
To configure your machine to trust a self-signed CA for Cosign CLI:
Download the MSR CA certificate into the host’s certificate directory:
export MSR=<registry-hostname> curl -ks https://$MSR/ca > /usr/local/share/ca-certificates/msr-ca.crt
Update the certificates:
$ sudo update-ca-certificates
Log in to MSR using the Docker CLI or the Cosign CLI:
Docker CLI:
$ docker login <MSR_URL> -u <username> -p <password>
Cosign CLI:
$ cosign login <MSR_URL> -u <username> -p <password>