Container Image Signing With Cosign and Jenkins

Показать описание

Need help with your Jenkins questions?

Timecodes ⏱:

00:00 Introduction
00:07 Overview
00:35 Starting point
00:56 Create first job
02:54 Generate a key pair for signing
04:45 Create credentials to use with Cosign
07:06 Review Jenkinsfile that we will use to sign the image
08:31 Update Jenkinsfile to sign container image with Cosign
10:08 Verify the container image with Cosign
12:30 Why should you sign your container images?

#jenkinstutorial #cosign #ghcr

Information referenced in this video:

Sample repository:

How to Push an Image to GitHub Container Registry Using Jenkins

Jenkins LTS 2.319.1

CloudBees on Twitter:

Darin on Twitter:

Рекомендации по теме

Комментарии

I think you should start 12:35 at the beginning of the video, and then show the process.

discoline

That’s pretty cool … is there any API to verify after deployment as the verify is within the agent. Also the co-sign software should be installed in prod env to verify ? I am asking from audit point if they want to verify what’s deployed in prod

saradachelluboyena

How can we do this process when I want to sign the image with TLS certificate ?

prashantantil

Process is simple if you create key in cosign... but becomes very tedious and complicated if you want to use your GPG key pair you may be using elsewhere in your pipelines. At least until cosign can import GPG keys directly, it's easy when utilising KMSes for everything...

marcin_karwinski

Did you install cosign plugin in jenkins? How did cosign command work in your jenkinsfile??

roxiandiaries

I setup COSIGN_PASSWORD as env variable even though it's giving prompt to enter the password for cosign private key. How can we bypass it ???

kishorereddy

But whats the use of cosign password as Environment variables in this case.We are sign the image with the help of private key isnt?

tamilselvan

Container Image Signing With Cosign and Jenkins

Signing and Verifying Container Images With Sigstore Cosign and Kyverno

Container Image Signing With Cosign and Jenkins

Sign Your Container Images with Cosign, GitHub Actions and GitHub Container Registry (How To)

Secure Container Image Signing with Cosign and OPA

Keyless container image signing with GitLab

Signing the Docker Images using Cosign - Part 4

Container Signing – Set up SignServer and Cosign to Sign Container Images

Sigstore demo with cosign

Container Image Signing with AWS Signer and Amazon EKS

Cosign | Sign and Authenticate Your Images and SBOMs!

What is Notation? | Container Image Signing

Securing Container Images and Binaries with Cosign and Sigstore

Who's Verifying Your Signatures? Approaching Private Container Image Signing - Ethan Lowman, Da...

LF Live Webinar: Modernizing Image Security in CI/CD with Cosign and OPA

Securing Kubernetes Manifests with Sigstore Cosign, What Are Your Options? - Mathieu Benoit, Google

Signing Container Images | Code Signing Secure

'Keyless' Code Signing Without Fulcio - Nathan Smith, Chainguard

[CNTUG #50] Notation local signing and verification for container image

Verifying CloudBees CI Container Images Using Cosign

Signing Container Images | CodeSign Protect Technical Demo, Venafi

Securing GitOps Supply Chain with Sigstore and Kyverno - Roberto Carratala & Faz Sadeghi, Red Ha...

Signing Container Images with GitHub Actions using Notary

Sign and Verify Software Artifacts using Sigstore Cosign #supplychain #security #softwareengineering

TGI Kubernetes 187: Kubernetes Release - Image Signing MVP