Signing artifacts with Cosign

Cloudsmith integrates with Cosign, an OCI artifact signing and verification solution which is part of the SigStore project.

Cosign supports container signing, verification and storage in an OCI registry.

In the examples below we will use the following identifiers:

IdentifierDescription
OWNERYour Cloudsmith account name or organization name (namespace)
REGISTRYYour Cloudsmith Repository name (also called "slug")
IMAGE_NAMEThe name of your Docker image
TAGA tag for your Docker image
SBOMAn SBOM in a standard format supported by cosign, SPDX, SWID, Cyclone DX
cosign.keycosign private key, cosign.key
cosign.pubcosign public key, cosign.pub

Build and Push an image to Cloudsmith

Follow the instructions here to push an image to Cloudsmith.

Sign your image

Cosign signs OCI artifacts and pushes the generated signature into Cloudsmith. Cloudsmith hosts this signature as an artifact alongside the signed artifact.

First, follow cosign's instructions here to install cosign and generate a keypair.

To sign an image that is hosted in Cloudsmith:

cosign sign --key cosign.key docker.cloudsmith.io/OWNER/REGISTRY/IMAGE_NAME:TAG

To verify the image

To verify the image, you need the public key (which can be generated from the private key).

cosign verify --key cosign.pub docker.cloudsmith.io/OWNER/REGISTRY/IMAGE_NAME:TAG | jq . 

The image signature created using cosign can be viewed on Cloudsmith by selecting the docker image and going to the Info tab. The signature will be listed as SIG under cosign manifests.

Attach an Attribution

Cosign also has built-in support for in-toto attestations.

An in-toto attestation is authenticated metadata about one or more software artifacts, as per the SLSA Attestation Model. The in-toto spec is described here.

You can create and sign an in-toto attestation from a local predicate file using the following command:

cosign attest --predicate <file> --key cosign.key <image>

To verify:

cosign verify-attestation --key cosign.pub <image>

Attributions attached to an image using cosign can be viewed on Cloudsmith by selecting the docker image and going to the Info tab. The signature will be listed as ATT under cosign manifests

Software Bill of Materials (SBOM)

The SBOM lists all components, including licenses and dependencies contained in a software product and other data, including checksums. SBOMs can be used to identify all your software components and improve supply chain security.

An SBOM in a known format like SPDX or CycloneDX can help drive automation and trigger security alerts. The end-user of software can use the SBOM to perform vulnerability and license analysis of their software packages which can help to evaluate risk in a software product.

You can host your SBOM alongside your image in Cloudsmith using sigstore/cosign tooling.

SBOM generation

You can generate an SBOM using tooling like syft, or [trivy's SBOM generator] (https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/sbom/).

syft docker.cloudsmith.io/OWNER/REGISTRY/IMAGE_NAME:TAG -o json > ./sbom.json
trivy sbom --output sbom.json --format cyclonedx docker.cloudsmith.io/OWNER/REGISTRY/IMAGE_NAME:TAG

Attach an SBOM as an Attribution

To host an SBOM alongside your image, you can attach an attribution with the SBOM as the predicate.

cosign attest -predicate ./sbom.json -key ./cosign.key cosign.key docker.cloudsmith.io/OWNER/REGISTRY/IMAGE_NAME:TAG
cosign verify-attestation cosign.key docker.cloudsmith.io/OWNER/REGISTRY/IMAGE_NAME:TAG --key ./cosign.pub > ./attestation_output 

And to extract the SBOM from an attestation:
The SBOM extraction specifically works for a SBOM generated using the syft command above.

cat ./attestation_output | jq --slurp --compact-output 'map(.payload | @base64d | fromjson | .predicate.Data | fromjson | select(.descriptor.name == "syft")) | first' > ./sbom.syft.json

SBOM

You can also attach an unsigned SBOM:

cosign attach sbom docker.cloudsmith.io/OWNER/REGISTRY/IMAGE_NAME:TAG
cosign download sbom --output-file sbom.json docker.cloudsmith.io/OWNER/REGISTRY/IMAGE_NAME:TAG

📘

Attaching SBOMs using 'cosign attach sbom' does not sign them and you will get warnings 'Downloading SBOMs this way does not ensure its authenticity'. If you want to sign the SBOM, you can use the commands above to add the SBOM as an in-toto attestation.

SBOMs attached to an image using cosign can be viewed on Cloudsmith by selecting the docker image and going to the Info tab. The signature will be listed as SBOM under cosign manifests.


Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)