Signing Keys
Cloudsmith uses GPG or RSA signatures (where applicable) in addition to package checksums to detect tampering.
We calculate a signature for every file that is uploaded, but only some of the package formats make it available or use it. Only some of the formats also offer metadata signing.
For increased trust, you can also provide your own GPG key or RSA key for signing.
Key Support by Package Format
| Package Format | Key Type | Key Use |
|---|---|---|
| Alpine | RSA | Index |
| Cargo | Not Supported by Format | |
| CocoaPods | Not Supported by Format | |
| Composer | GPG | |
| Conan | Not Supported by Format | |
| CRAN | ||
| Dart | Not Supported by Format | |
| Debian | GPG | Index |
| Docker | RSA | Index |
| Go | ||
| Gradle | GPG | Index Packages |
| Helm Charts | GPG | |
| LuaRocks | ||
| Maven | GPG | Index Packages |
| npm | GPG | |
| NuGet | ||
| Python | GPG | |
| Raw | GPG | |
| RPM | GPG | Index Packages |
| Ruby | GPG | |
| sbt | GPG | Index Packages |
| Terraform Modules | Not Supported by Format | |
| Unity Registry | GPG | |
| Vagrant | GPG |
Docker and Cosign
Early Access
Automatic signing of Docker images on image upload is currently in early Access. If you would like to enable this feature please Contact Us.
When a Docker image is uploaded to a repository, Cloudsmith automatically generates a Cosign signature using the repository’s ECDSA private key. Customers can download the corresponding ECDSA public key to verify the specific image, as below:
docker push docker.cloudsmith.io/<org>/<repo>/alpine:<sha256-checksum>
cosign verify --private-infrastructure=true --key public-ecdsa-key.key docker.cloudsmith.io/<org>/<repo>/alpine:<sha256-checksum>
Docker image verification
Cloudsmith does not log to Rekor when generating signatures on image upload. When verifying these using
cosign verifypass--private-infrastructure=trueto prevent cosign querying the Rekor log.
As docker images within Cloudsmith are predominantly private, when a cosign signature is automatically generated on image upload, Cloudsmith does not add any data to the Rekor log . The Rekor log contains a record of image names and corresponding public keys, and is used to enable software maintainers to record signed metadata, and for verifiers to monitor and query the log for an appropriate identity. When using cosign verify to verify cosign signatures generated by Cloudsmith, pass --private-infrastructure=true to ensure cosign does not query the Rekor log. If this parameter is not passed, the following warning will be displayed:
WARNING: "docker.cloudsmith.io/<org>/<repo>/alpine:<sha256-checksum> appears to be a private repository, please confirm uploading to the transparency log at "https://rekor.sigstore.dev"
Please note customers who create their own signatures using the cosign sign command, will be asked if they wish to upload a transparency log to Rekor.
Supported Keys
If a key is used which is not supported by Cosign, it will not be possible to generate the associated OCI image signature.
Cosign supports the following ECDSA curves:
- NIST P-224 (secp224r1)
- NIST P-256 (secp256r1, prime256v1)
- NIST P-384 (secp384r1)
- NIST P-521 (secp521r1)
If a key is used which is not supported by Cosign, Cloudsmith will not be able to generate the associated OCI image signature.
Updated about 1 month ago