Cosign

CoSign is an open-source command-line tool designed to enhance container image security by simplifying the signing and verification process. It uses digital signatures, allowing a container image to be signed with a private key, which can then be verified by the recipient using the corresponding public key. This method helps protect against man-in-the-middle (MITM) attacks and ensures that images remain unaltered during distribution.

As part of the Sigstore project, CoSign command supports container signing, verification, and storage in an Open Container Initiative (OCI) registry, facilitating a signatures-invisible infrastructure for data center operations. The goal of the Sigstore project is to enable developers to securely sign software artifacts, including release files, binaries, container images, bill of materials manifests and more. For more details, see Cosign - Sigstore.

Download Cosign

  1. Download and install CoSign version 1.3 or newer, ensuring it has PKCS#11 key support enabled.
  2. Download Link: Cosign Download Link.

Prerequisites

  1. Execute the AppViewX SIGN+ installer to set up the prerequisites for using the AppViewX PKCS#11 provider with CoSign.
  2. Ensure pkcs11-tool is pre-installed.
  3. Use a version of CoSign that supports the pre-installed pkcs11-tool.
    Note: Access to a container registry is required for CoSign to function. ttl.sh provides free, short-lived (hours) anonymous container image hosting. Use the following commands to create a short-lived temporary container.
    IMAGE_NAME=$(uuidgen)
IMAGE=ttl.sh/$IMAGE_NAME:1h
<path to cosign> copy alpine $IMAGE
    The following examples use a sample container image created from the above command.

Signing and Verifying Container Images with CoSign

  1. Verify that the pkcs11 token can be loaded in CoSign.
    <path to cosign executable> pkcs11-tool list-tokens --module-path <path to PKCS11.so>
    Sample Command:
    <path to cosign> pkcs11-tool list-tokens --module-path "/home/admin/AppViewX Sign+/AVXPKCS11.so"
    Sample Output:
    Listing tokens of PKCS11 module '/home/admin/AppViewX Sign+/AVXPKCS11.so'
Token in slot 0
	Label: AppViewX PKCS11
	Manufacturer: AppViewX Inc.
	Model: V2
	S/N: 1E7218780068003
  2. Fetch and list all key URIs from the installed SIGN+ package.
    Sample Command:
    <path to cosign> pkcs11-tool list-keys-uris --module-path "/home/admin/AppViewX Sign+/AVXPKCS11.so" --slot-id 0 --pin 12345678
    Command Output:
    Listing URIs of keys in slot '0' of PKCS11 module '/home/admin/AppViewX Sign+/AVXPKCS11.so'
Object 0
	Label: AppViewX Inc Test's AppViewX Intermediate CA
	ID: 323030
	URI: pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%30;object=AppViewX%20Inc%20Test's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign+/AVXPKCS11.so&pin-value=12345678
Object 1
	Label: AppViewX Inc Prod's AppViewX Intermediate CA
	ID: 323033
	URI: pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%33;object=AppViewX%20Inc%20Prod's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign+/AVXPKCS11.so&pin-value=12345678
  3. Sign a container image.
    <path to cosign executable> sign --key <URI> $IMAGE
    Sample Command:
    <path to cosign> sign --key "pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%33;object=AppViewX%20Inc%20Prod's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign%2B/AVXPKCS11.so&pin-value=12345678" $IMAGE
    Command Output:
    Pushing signature to: ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64
  4. Verify the signed container image:
    <path to cosign executable> verify --key <URI> $IMAGE
    Sample Command:
    <path to cosign> verify --key "pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%33;object=AppViewX%20Inc%20Prod's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign%2B/AVXPKCS11.so&pin-value=12345678" $IMAGE
    Command Output:
    Verification for ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64:1h --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64"},"image":{"docker-manifest-digest":"sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5"},"type":"cosign container image signature"},"optional":{"Subject":""}}]

Signing and Verifying Blob Files with CoSign

  1. Verify that the PKCS#11 token can be loaded in CoSign.
    <path to cosign executable> pkcs11-tool list-tokens --module-path <path to PKCS11.so>
    Sample Command:
    <path to cosign> pkcs11-tool list-tokens --module-path "/home/admin/AppViewX Sign+/AVXPKCS11.so"
    Sample Output:
    Listing tokens of PKCS11 module '/home/admin/AppViewX Sign+/AVXPKCS11.so'
Token in slot 0
	Label: AppViewX PKCS11
	Manufacturer: AppViewX Inc.
	Model: V2
	S/N: 1E7218780068003
  2. Fetch and list all key URIs from the installed SIGN+ package.
    Sample Command:
    <path to cosign> pkcs11-tool list-keys-uris --module-path "/home/admin/AppViewX Sign+/AVXPKCS11.so" --slot-id 0 --pin 12345678
    Command Output:
    Listing URIs of keys in slot '0' of PKCS11 module '/home/admin/AppViewX Sign+/AVXPKCS11.so'
Object 0
	Label: AppViewX Inc Test's AppViewX Intermediate CA
	ID: 323030
	URI: pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%30;object=AppViewX%20Inc%20Test's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign+/AVXPKCS11.so&pin-value=12345678
Object 1
	Label: AppViewX Inc Prod's AppViewX Intermediate CA
	ID: 323033
	URI: pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%33;object=AppViewX%20Inc%20Prod's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign+/AVXPKCS11.so&pin-value=12345678
  3. Sign a blob file.
    <path to cosign executable> sign-blob --key <URI> <path_to_blob_file>
    Sample Command:
    <path to cosign> sign-blob --key "pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%30;object=AppViewX%20Inc%20Test's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign%2B/AVXPKCS11.so&pin-value=12345678" README.md
    Command Output:
    Using payload from: README.md
RRAvpvZeSXg7IGbCsfL4UAx9u5QHM73t+SaN3BDZ5vvuLKdjWNJRO5PESuuikUBrO9tla5KG7KX6Kk4n2UGG8vEi+CvxJb5iHnO1cju7cHjzpEZWNCg7kRviH66uQBGU7LIKiJyAhpz8/slQ2emOuP+2j3+GX7ArJj1/Xy3sLSTn9FRgnl8KtGE8f0K696rRRecFvcOfdLIB4q7w2U2XY7+8x57nhfysRGAd2+GxNwFj+uZst+Kt5W8JfFbl2lQy0fVnmHNoIyUzdfdRD7zLkLWdKWUSxdZcVSHSHp3QgN+e4fXYWroGVmD8EZWrtiiP8wrkk+hgfa02t/scYROIT0weuFe2abXx114/UsjaxRo10LxDwsvaH+i6PR4BL02A8FC3oFYWV3Cu7Q/v9zT/0AFh6egONlfYfW98rHhrtuQmoCGvBj9NwcUPwxa3kSC5cAYYByY/17eijiGR2QFt8MBoshluD1ZGsQuOpKYmkNQjuNNkEEir04KCXoxT/h7+
  4. Verify a blob File:
    <path to cosign executable> verify-blob --key <URI> --signature <Base64_SignatureString> <path_to_blob_file>
    Sample Command:
    <path to cosign> verify-blob --signature "RRAvpvZeSXg7IGbCsfL4UAx9u5QHM73t+SaN3BDZ5vvuLKdjWNJRO5PESuuikUBrO9tla5KG7KX6Kk4n2UGG8vEi+CvxJb5iHnO1cju7cHjzpEZWNCg7kRviH66uQBGU7LIKiJyAhpz8/slQ2emOuP+2j3+GX7ArJj1/Xy3sLSTn9FRgnl8KtGE8f0K696rRRecFvcOfdLIB4q7w2U2XY7+8x57nhfysRGAd2+GxNwFj+uZst+Kt5W8JfFbl2lQy0fVnmHNoIyUzdfdRD7zLkLWdKWUSxdZcVSHSHp3QgN+e4fXYWroGVmD8EZWrtiiP8wrkk+hgfa02t/scYROIT0weuFe2abXx114/UsjaxRo10LxDwsvaH+i6PR4BL02A8FC3oFYWV3Cu7Q/v9zT/0AFh6egONlfYfW98rHhrtuQmoCGvBj9NwcUPwxa3kSC5cAYYByY/17eijiGR2QFt8MBoshluD1ZGsQuOpKYmkNQjuNNkEEir04KCXoxT/h7+" --key "pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%30;object=AppViewX%20Inc%20Test's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign%2B/AVXPKCS11.so&pin-value=12345678" README.md
    Command Output:
    Verified OK

Signing and Verifying SBOM Files with CoSign

  1. Verify that the PKCS#11 token can be loaded in CoSign.
    <path to cosign executable> pkcs11-tool list-tokens --module-path <path to PKCS11.so>
    Sample Command:
    <path to cosign> pkcs11-tool list-tokens --module-path "/home/admin/AppViewX Sign+/AVXPKCS11.so"
    Sample Output:
    Listing tokens of PKCS11 module '/home/admin/AppViewX Sign+/AVXPKCS11.so'
Token in slot 0
	Label: AppViewX PKCS11
	Manufacturer: AppViewX Inc.
	Model: V2
	S/N: 1E7218780068003
  2. Fetch and list all key URIs from the installed SIGN+ package.
    Sample Command:
    <path to cosign> pkcs11-tool list-keys-uris --module-path "/home/admin/AppViewX Sign+/AVXPKCS11.so" --slot-id 0 --pin 12345678
    Command Output:
    Listing URIs of keys in slot '0' of PKCS11 module '/home/admin/AppViewX Sign+/AVXPKCS11.so'
Object 0
	Label: AppViewX Inc Test's AppViewX Intermediate CA
	ID: 323030
	URI: pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%30;object=AppViewX%20Inc%20Test's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign+/AVXPKCS11.so&pin-value=12345678
Object 1
	Label: AppViewX Inc Prod's AppViewX Intermediate CA
	ID: 323033
	URI: pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%33;object=AppViewX%20Inc%20Prod's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign+/AVXPKCS11.so&pin-value=12345678
  3. Generate an SBOM file for a container image.
    Sample Command:
    syft $IMAGE -o spdx > sbom_output_file.spdx
    Command Output:
     ✔ Parsed image                                  sha256:324bc02ae1231fd9255658c128086395d3fa0aedd5a41ab6b034fd649d1a9260
 ✔ Cataloged contents                                   eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78
   ├── ✔ Packages                        [14 packages]  
   ├── ✔ File digests                    [77 files]  
   ├── ✔ File metadata                   [77 locations]  
   └── ✔ Executables                     [17 executables]
  4. Attach the SBOM to the container image.
    <path to cosign executable> attach sbom --sbom <sbom_file.spdx> $IMAGE  # get the digest from the output
    Sample Command:
    <path to cosign> attach sbom --sbom sbom_output_file.spdx  $IMAGE
    Command Output:
    WARNING: Attaching SBOMs this way does not sign them. If you want to sign them, use 'cosign attest -predicate sbom_output_file.spdx -key <key path>' or 'cosign sign -key <key path> <sbom image>'.
Uploading SBOM file for [ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64:1h] to [ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64:sha256-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5.sbom] with mediaType [text/spdx].
  5. Sign the SBOM.
    <path to cosign executable> sign --key <URI> <output of attach SBOM command>
    Sample Command:
    <path to cosign> sign --key "pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%33;object=AppViewX%20Inc%20Prod's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign%2B/AVXPKCS11.so&pin-value=12345678" ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64:sha256-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5.sbom
    Command Output:
    Pushing signature to: ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64
  6. Verify the SBOM.
    <path to cosign executable> verify --key <URI> <SBOM>
    Sample Command:
    <path to cosign> verify --key "pkcs11:token=AppViewX%20PKCS11;slot-id=0;id=%32%30%33;object=AppViewX%20Inc%20Prod's%20AppViewX%20Intermediate%20CA?module-path=/home/admin/AppViewX%20Sign%2B/AVXPKCS11.so&pin-value=12345678" ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64:sha256-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5.sbom
    Command Output:
    Verification for ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64:sha256-0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5.sbom --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"ttl.sh/4829a8e9-605e-483d-b137-16a003b91d64"},"image":{"docker-manifest-digest":"sha256:f4f7b7532e3830962a95ff42e226e9b354cb4d5d6922577a3bbc4b2291a9bb1e"},"type":"cosign container image signature"},"optional":{"Subject":""}}]