Initial local setup

Before you can use Cosign, you must complete local setup.

Install Cosign CLI

To begin signing and verifying images, install the Cosign CLI tool on your local machine. Detailed setup instructions for various operating systems can be found in the official Sigstore Cosign Installation Guide.

Configure CA certificates

You can skip this section and move on to Sign images that MKE can trust, if:

  • Your CA certificate is issued by a well-know root CA.

  • Your MSR is installed on the local machine and is configured as an insecure registry, although this is mostly a development and test configuration.

If the MSR is configured with a self-signed CA certificate, you must configure the machine that runs the cosign or docker commands to trust the CA , certificate as detailed below.

Caution

If your remote MSR is configured as an insecure registry (using self-signed certificates or plain HTTP), you must explicitly configure the Cosign client to allow the connection. Cosign can respect the insecure-registries settings defined in your Docker daemon.json file.

Alternatively, if you add the self-signed MSR CA certificate directly to your operating system’s trusted root certificate store, the host will be marked as secure and Cosign will communicate with it automatically without requiring any extra insecure registry flags or daemon.json configuration.

To configure your machine to trust a self-signed CA:

  1. Create a certificate directory for the MSR host in the Docker configuration directory:

    export MSR=<registry-hostname>
    mkdir -p ~/.docker/certs.d/${MSR}
    
  2. Download the MSR CA certificate into the newly created directory:

    curl -ks https://$MSR/ca > ~/.docker/certs.d/${MSR}/ca.crt
    
  3. Restart the Docker daemon.

  4. Verify that you do not receive certificate errors when accessing MSR using the Docker CLI by running docker login ${MSR}.

  5. Create a symlink between the certs.d and tls directories:

    ln -s certs.d ~/.docker/tls
    

To configure your machine to trust a self-signed CA for Cosign CLI:

  1. Download the MSR CA certificate into the host’s certificate directory:

    export MSR=<registry-hostname>
    curl -ks https://$MSR/ca > /usr/local/share/ca-certificates/msr-ca.crt
    
  2. Update the certificates:

    $ sudo update-ca-certificates
    

Log in to MSR using the Docker CLI or the Cosign CLI:

  • Docker CLI:

    $ docker login <MSR_URL> -u <username> -p <password>
    
  • Cosign CLI:

    $ cosign login <MSR_URL> -u <username> -p <password>