In the vast and dynamic ecosystem of software development, security is a fundamental pillar that ensures the reliability and integrity of digital products. In particular, with the growing adoption of containers, the need to validate the authenticity and integrity of Docker images has become crucial. This is where Cosign comes into play, a tool developed by the Sigstore project, designed to simplify the signing and verification of Docker images. This practice ensures that the code you are about to deploy is exactly what was intended, free from malicious alterations. In this article, we will dive into the world of Cosign, exploring how it works, how it can be used to sign a Docker image, and why it is an essential element for improving software supply chain security. I will also illustrate a practical example, showing how I integrated Cosign into a GitHub pipeline to automate the image signing process. For a detailed view and access to the source code, I invite you to visit my GitHub repository.
What is Cosign?#
Cosign, a tool from the Sigstore project, was created with the goal of making the signing and verification of Docker images simple and secure. This tool is vital to ensure that the code deployed in production is the exact replica of the original code, free from malicious modifications. With just a few simple commands, Cosign democratizes the use of public-key cryptography, making it accessible even to teams with only basic security expertise. Beyond signing and verification, Cosign goes further by offering key and signature transparency, making it easier to verify signatures and ensuring that no changes to signed images go unnoticed. This robust functionality makes Cosign an indispensable tool in the toolbox of any security-conscious DevOps team, providing a strong line of defense against software supply chain attacks.
Why is Docker Image Signing Useful?#
Signing Docker images is a crucial step toward building a secure software supply chain. This practice raises the barrier against potential threats, ensuring the authenticity and integrity of containers. It acts as a strong verification mechanism, ensuring that the code ready to run or deploy is exactly the original, immune from unauthorized or malicious modifications. Docker image signing is essential for preventing Man-in-the-Middle (MitM) attacks, where attackers might attempt to inject malicious code while images transit over the network. It also aids in audits and compliance, offering an immutable record of signed and verified images, thereby providing full traceability and clear accountability. This is particularly useful in regulated or high-security environments, where traceability and compliance are crucial. With the exponential growth of containerized environments, signing Docker images with Cosign has become a key element in maintaining a secure and resilient software supply chain, allowing organizations to operate with greater confidence in the integrity of their systems.
How Does Cosign Work?#
Cosign works by generating a pair of cryptographic keys: a private key to sign Docker images and a public key to verify them. When you sign a Docker image with Cosign, both the image and the signature are stored in a container registry. Later, anyone wishing to verify the image can use the public key to confirm that it was signed with the corresponding private key and has not been altered. Cosign can be easily integrated into CI/CD pipelines, enabling automatic signing and verification of images during the deployment process. Additionally, Cosign can interface with the Sigstore registry for even stronger signature transparency, offering a complete solution for managing Docker image security within the software supply chain.
How to Sign a Docker Image with Cosign#
In this section, we’ll illustrate how to sign a Docker image with Cosign using a GitHub Action. Before getting started, make sure you have installed the latest version of Cosign. You can download the binary from GitHub or install it via Homebrew:
brew install cosign
Then, create a token on GitHub and export it as an environment variable:
export GITHUB_TOKEN=<token>
Now, generate the keys we will use in the GitHub Action. Thanks to the previously exported token, the Cosign command will insert the generated keys into the project’s secrets, allowing them to be used in the action:
cosign generate-key-pair github://<owner>/<project>
Next, create the GitHub Action. Create a file called docker-publish-and-sign.yml in your project’s .github/workflows directory, and insert the following code:
This GitHub Action follows a precise sequence of operations to ensure the Docker image is securely built, published, and signed:
- Checkout: Retrieves the source code from the GitHub repository.
- Set up Docker Buildx: Prepares the environment for building the image with Docker Buildx.
- Install Cosign: Installs Cosign in the runtime environment to enable image signing.
- Login to GitHub Container Registry: Logs in to the GitHub Container Registry (GHCR) to publish the Docker image.
- Build and Publish: Builds and publishes the Docker image to GHCR, using the GitHub run ID as the image tag.
- Sign the Image: Signs the Docker image using the private key, and the signature is stored in the registry.
To verify the signed image, run the following command:
cosign verify --key <public-key> <image>
The Sigstore Project#
Sigstore is an open-source project that aims to raise the bar for supply chain security. Its mission is to provide reliable and transparent tools for signing and verifying software artifacts. Cosign is one of the solutions offered by Sigstore, providing a secure and transparent method for signing and verifying Docker images and other artifacts. The Sigstore initiative, backed by an active and collaborative community, is constantly innovating to make the software supply chain more resilient to attacks and aligned with best security practices.
Conclusions#
The integrity of the software supply chain is a fundamental requirement for ensuring security in the modern era of software development. Tools like Cosign, supported by initiatives like Sigstore, represent significant steps forward in creating a more robust and secure supply chain, giving DevOps professionals the tools they need to effectively mitigate risks associated with supply chain attacks.
If you’ve followed this article to this point, you should now have a clear understanding of how to sign your Docker images and how to verify them. I hope this article has been helpful, and if you have any questions or suggestions, don’t hesitate to contact me.
