Signing Artifacts with Cosign

Artifact signing and signature verification are essential security measures that ensure the integrity and authenticity of artifacts. MSR facilitates content trust through integrations with Cosign. This guide provides detailed instructions on utilizing Cosign to sign your artifacts within MSR.

Note

Project administrators can enforce content trust, requiring all artifacts to be signed before they can be pulled from a MSR registry.

Using Cosign to Sign Artifacts

MSR integrates support for Cosign, an OCI artifact signing and verification solution that is part of the Sigstore project. Cosign signs OCI artifacts and uploads the generated signature to MSR, where it is stored as an artifact accessory alongside the signed artifact. MSR manages the link between the signed artifact and its Cosign signature, allowing the application of tag retention and immutability rules to both the artifact and its signature.

Key Features of Cosign Integration in MSR:

  • Signature Management: MSR treats Cosign signatures as artifact accessories, enabling consistent management alongside the signed artifacts.

  • Replication Support: MSR’s replication capabilities extend to signatures, ensuring that both artifacts and their associated signatures are replicated together.

    Limitations:

    • Vulnerability scans of Cosign signatures are not supported.

    • Only manual and scheduled replication trigger modes are applicable; event-based replication is currently unsupported.

Prerequisites

  1. Install Cosign: Ensure that Cosign is installed on your local machine. Refer to the Cosign documentation for installation instructions.

  2. Generate a Private Key: Create a private key for signing artifacts.

Signing and Uploading Artifacts with Cosign

  1. Log in to MSR: Authenticate with your MSR instance using the Docker client:

    docker login <MSR-instance>

    Replace <MSR-instance> with the URL of your MSR registry.

  2. Tag the Image: Tag the local image to match the MSR repository format:

    docker tag <local-image> <MSR-instance>/<project>/<repository>:<tag>

    Replace <local-image>, <project>, <repository>, and <tag> with your specific details.

  3. Push the Image to MSR:

    docker push <MSR-instance>/<project>/<repository>:<tag>

  4. Sign the Image with Cosign:

    cosign sign --key cosign.key <MSR-instance>/<project>/<repository>:<tag>

    You will be prompted to enter the password for your Cosign private key.

Viewing Cosign Signatures in MSR

  1. Access the MSR Interface: Log in to the MSR web interface.

  2. Navigate to the Project: Select the project containing the signed artifact.

  3. Locate the Artifact: Find the specific artifact in the repository list.

  4. Expand Accessories: Click the “>” icon next to the artifact to display the Accessories table, which lists all associated Cosign signatures.

Deleting Cosign Signatures

Individual Deletion:

  1. In the MSR interface, navigate to the project and locate the artifact.

  2. Expand the Accessories table.

  3. Click the three vertical dots next to the signature and select “Delete.”