Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

find and fix examples where we are using the single dash style flags. #835

Merged
merged 1 commit into from
Oct 1, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/cross.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,13 +66,13 @@ jobs:
COSIGN_PASSWORD: ${{secrets[matrix.COSIGN_PASSWORD]}}
if: github.event_name != 'pull_request'
run: |
./${{matrix.COSIGN_TARGET}} sign-blob -key ./.github/workflows/cosign.key ./${{matrix.COSIGN_TARGET}} > ${{matrix.COSIGN_TARGET}}.sig
./${{matrix.COSIGN_TARGET}} sign-blob -key ./.github/workflows/cosign.key ./${{matrix.SGET_TARGET}} > ${{matrix.SGET_TARGET}}.sig
./${{matrix.COSIGN_TARGET}} sign-blob --key ./.github/workflows/cosign.key ./${{matrix.COSIGN_TARGET}} > ${{matrix.COSIGN_TARGET}}.sig
./${{matrix.COSIGN_TARGET}} sign-blob --key ./.github/workflows/cosign.key ./${{matrix.SGET_TARGET}} > ${{matrix.SGET_TARGET}}.sig
- name: verify
if: github.event_name != 'pull_request'
run: |
./${{matrix.COSIGN_TARGET}} verify-blob -key ./.github/workflows/cosign.pub -signature ${{matrix.COSIGN_TARGET}}.sig ./${{matrix.COSIGN_TARGET}}
./${{matrix.COSIGN_TARGET}} verify-blob -key ./.github/workflows/cosign.pub -signature ${{matrix.SGET_TARGET}}.sig ./${{matrix.SGET_TARGET}}
./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign.pub --signature ${{matrix.COSIGN_TARGET}}.sig ./${{matrix.COSIGN_TARGET}}
./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign.pub --signature ${{matrix.SGET_TARGET}}.sig ./${{matrix.SGET_TARGET}}
- name: Upload artifacts
if: github.event_name != 'pull_request'
uses: actions/upload-artifact@v2
Expand Down
8 changes: 4 additions & 4 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -128,19 +128,19 @@ signs:
- id: cosign
signature: "${artifact}.sig"
cmd: ./dist/cosign-linux-amd64
args: ["sign-blob", "-output", "${artifact}.sig", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
args: ["sign-blob", "--output", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
artifacts: binary
- id: cosigned
signature: "${artifact}.sig"
cmd: ./dist/cosign-linux-amd64
args: ["sign-blob", "-output", "${artifact}.sig", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
args: ["sign-blob", "--output", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
artifacts: binary
ids:
- linux-cosigned
- id: sget
signature: "${artifact}.sig"
cmd: ./dist/cosign-linux-amd64
args: ["sign-blob", "-output", "${artifact}.sig", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
args: ["sign-blob", "--output", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
artifacts: binary
ids:
- sget
Expand Down Expand Up @@ -219,7 +219,7 @@ docker_manifests:

docker_signs:
- artifacts: all
args: [ "sign", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}" ]
args: [ "sign", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}" ]

archives:
- format: binary
Expand Down
6 changes: 3 additions & 3 deletions EXAMPLES.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosig
$ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json
$ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central
# We have to base64 encode the signature
$ cat gcpkms.sig | base64 | cosign attach signature -signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
$ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
```

Now (on another machine) download the public key, payload, signatures and verify it!
Expand Down Expand Up @@ -36,9 +36,9 @@ $ cosign generate us.gcr.io/dlorenc-vmtest2/demo > payload.json
$ openssl dgst -sha256 -sign openssl.key -out payload.sig payload.json
$ cat payload.sig | base64 > payloadbase64.sig
# Upload the signature
$ cosign attach signature -payload payload.json -signature payloadbase64.sig us.gcr.io/dlorenc-vmtest2/demo
$ cosign attach signature --payload payload.json --signature payloadbase64.sig us.gcr.io/dlorenc-vmtest2/demo
# Verify!
$ cosign verify -key openssl.pub us.gcr.io/dlorenc-vmtest2/demo
$ cosign verify --key openssl.pub us.gcr.io/dlorenc-vmtest2/demo
Verification for us.gcr.io/dlorenc-vmtest2/demo --
The following checks were performed on each of these signatures:
- The cosign claims were validated
Expand Down
12 changes: 6 additions & 6 deletions FUN.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,13 @@ Think again!
Sign the commits and store the signatures and public keys somewhere else.

```
$ ./cosign sign-blob -key cosign.key <(git rev-parse HEAD)
$ ./cosign sign-blob --key cosign.key <(git rev-parse HEAD)
Using payload from: /dev/fd/63
Enter password for private key:
MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM=
$ git rev-parse HEAD
455d1988360dcfdcf0fa17b0736fbbc33b4924c0
$ ./cosign verify-blob -key cosign.pub -signature MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM= <(git rev-parse HEAD)
$ ./cosign verify-blob --key cosign.pub --signature MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM= <(git rev-parse HEAD)
Verified OK
```

Expand All @@ -25,12 +25,12 @@ Verified OK
Store the signature in the repo as notes, store the public key somewhere else.

```
$ ./cosign sign-blob -key cosign.key <(git rev-parse HEAD)
$ ./cosign sign-blob --key cosign.key <(git rev-parse HEAD)
Using payload from: /dev/fd/63
Enter password for private key:
MEQCIHXN31pDrZBxs+m/HrcFruavv++oMc+pBZKgl7Hps9jjAiA9QE5uzpFNC5SGpdr4TJuCwh47C24Hwt4yHICae0J1bw==
$ git notes add -m "MEQCIHXN31pDrZBxs+m/HrcFruavv++oMc+pBZKgl7Hps9jjAiA9QE5uzpFNC5SGpdr4TJuCwh47C24Hwt4yHICae0J1bw==" HEAD
$ ./cosign verify-blob -key cosign.pub -signature <(git notes show HEAD) <(git rev-parse HEAD)
$ ./cosign verify-blob --key cosign.pub --signature <(git notes show HEAD) <(git rev-parse HEAD)
Verified OK
```

Expand All @@ -40,7 +40,7 @@ Verified OK
Store the signature in the Transparency Log, and store the public key somewhere else.

```
$ COSIGN_EXPERIMENTAL=1 ./cosign sign-blob -key cosign.key <(git rev-parse HEAD)
$ COSIGN_EXPERIMENTAL=1 ./cosign sign-blob --key cosign.key <(git rev-parse HEAD)
Using payload from: /dev/fd/63
Enter password for private key:
MEYCIQDWX6RjU0Z2ynd1CdiAwo/JaC2Z5+vdx8H5spuDNu/r5wIhAPnP+87+knFEwbE8FgeXCrgkjWal3aBsNR3IVaBDT2XU
Expand All @@ -52,7 +52,7 @@ Now find it from the log:
```
$ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD) | tail -n 1)
$ sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.content)
$ cosign verify-blob -key cosign.pub -signature <(echo $sig) <(git rev-parse HEAD)
$ cosign verify-blob --key cosign.pub --signature <(echo $sig) <(git rev-parse HEAD)
Verified OK
```

Expand Down
18 changes: 9 additions & 9 deletions KMS.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,17 +14,17 @@ The URI path syntax is provider specific and explained in the section for each p

### Key Generation and Management

To generate keys using a KMS provider, you can use the `cosign generate-key-pair` command with the `-kms` flag.
To generate keys using a KMS provider, you can use the `cosign generate-key-pair` command with the `--kms` flag.
For example:

```shell
$ cosign generate-key-pair -kms <some provider>://<some key>
$ cosign generate-key-pair --kms <some provider>://<some key>
```

The public key can be retrieved with:

```shell
$ cosign public-key -key <some provider>://<some key>
$ cosign public-key --key <some provider>://<some key>
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXc+DQU8Pb7Xo2RWCjFG/f6qbdABN
jnVtSyKZxNzBfNMLLtVxdu8q+AigrGCS2KPmejda9bICTcHQCRUrD5OLGQ==
Expand All @@ -33,13 +33,13 @@ jnVtSyKZxNzBfNMLLtVxdu8q+AigrGCS2KPmejda9bICTcHQCRUrD5OLGQ==

### Signing and Verification

To sign and verify using a key managed by a KMS provider, you can pass a provider-specific URI to the `-key` command:
To sign and verify using a key managed by a KMS provider, you can pass a provider-specific URI to the `--key` command:

```shell
$ cosign sign -key <some provider>://<some key> gcr.io/dlorenc-vmtest2/demo
$ cosign sign --key <some provider>://<some key> gcr.io/dlorenc-vmtest2/demo
Pushing signature to: gcr.io/dlorenc-vmtest2/demo:sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.cosign

$ cosign verify -key <some provider>://<some key> gcr.io/dlorenc-vmtest2/demo
$ cosign verify --key <some provider>://<some key> gcr.io/dlorenc-vmtest2/demo

Verification for gcr.io/dlorenc-vmtest2/demo --
The following checks were performed on each of these signatures:
Expand All @@ -53,8 +53,8 @@ The following checks were performed on each of these signatures:
You can also export the public key and verify against that file:

```shell
$ cosign public-key -key <some provider>://<some key> > kms.pub
$ cosign verify -key kms.pub gcr.io/dlorenc-vmtest2/demo
$ cosign public-key --key <some provider>://<some key> > kms.pub
$ cosign verify --key kms.pub gcr.io/dlorenc-vmtest2/demo
```

### Providers
Expand Down Expand Up @@ -173,5 +173,5 @@ $ vault secrets enable transit
If you enabled `transit` secret engine at different path with the use of `-path` flag (i.e., `$ vault secrets enable -path="someotherpath" transit`), you can use `TRANSIT_SECRET_ENGINE_PATH` environment variable to specify this path while generating a key pair like the following:

```shell
$ TRANSIT_SECRET_ENGINE_PATH="someotherpath" cosign generate-key-pair -kms hashivault://testkey
$ TRANSIT_SECRET_ENGINE_PATH="someotherpath" cosign generate-key-pair --kms hashivault://testkey
```
4 changes: 2 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -108,11 +108,11 @@ ko-local:

.PHONY: sign-container
sign-container: ko
cosign sign -key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosign:$(GIT_HASH)
cosign sign --key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosign:$(GIT_HASH)

.PHONY: sign-cosigned
sign-cosigned:
cosign sign -key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosigned:$(GIT_HASH)
cosign sign --key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosigned:$(GIT_HASH)

# used when releasing together with GCP CloudBuild
.PHONY: release
Expand Down
40 changes: 20 additions & 20 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ Public key written to cosign.pub
### Sign a container and store the signature in the registry

```shell
$ cosign sign -key cosign.key dlorenc/demo
$ cosign sign --key cosign.key dlorenc/demo
Enter password for private key:
Pushing signature to: index.docker.io/dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.sig
```
Expand All @@ -136,7 +136,7 @@ Note that these signed payloads include the digest of the container image, which
sure these "detached" signatures cover the correct image.

```shell
$ cosign verify -key cosign.pub dlorenc/demo
$ cosign verify --key cosign.pub dlorenc/demo
The following checks were performed on these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
Expand Down Expand Up @@ -221,7 +221,7 @@ curl -L gcr.io/v2/dlorenc-vmtest2/artifact/blobs/sha256:97f16c28f6478f3c02d7fff4
You can sign it with the normal `cosign sign` command and flags:

```shell
cosign sign -key cosign.key gcr.io/dlorenc-vmtest2/artifact
cosign sign --key cosign.key gcr.io/dlorenc-vmtest2/artifact
Enter password for private key:
Pushing signature to: gcr.io/dlorenc-vmtest2/artifact:sha256-3f612a4520b2c245d620d0cca029f1173f6bea76819dde8543f5b799ea3c696c.sig
```
Expand Down Expand Up @@ -271,7 +271,7 @@ Creating Tekton Bundle:
- Added TaskRun: to image

Pushed Tekton Bundle to us.gcr.io/dlorenc-vmtest2/pipeline@sha256:124e1fdee94fe5c5f902bc94da2d6e2fea243934c74e76c2368acdc8d3ac7155
$ cosign sign -key cosign.key us.gcr.io/dlorenc-vmtest2/pipeline:latest
$ cosign sign --key cosign.key us.gcr.io/dlorenc-vmtest2/pipeline:latest
Enter password for private key:
tlog entry created with index: 5086
Pushing signature to: us.gcr.io/dlorenc-vmtest2/demo:sha256-124e1fdee94fe5c5f902bc94da2d6e2fea243934c74e76c2368acdc8d3ac7155.sig
Expand All @@ -285,7 +285,7 @@ Cosign can upload these using the `cosign wasm upload` command:

```shell
$ cosign upload wasm -f hello.wasm us.gcr.io/dlorenc-vmtest2/wasm
$ cosign sign -key cosign.key us.gcr.io/dlorenc-vmtest2/wasm
$ cosign sign --key cosign.key us.gcr.io/dlorenc-vmtest2/wasm
Enter password for private key:
tlog entry created with index: 5198
Pushing signature to: us.gcr.io/dlorenc-vmtest2/wasm:sha256-9e7a511fb3130ee4641baf1adc0400bed674d4afc3f1b81bb581c3c8f613f812.sig
Expand All @@ -299,7 +299,7 @@ The specification for these is defined [here](/~https://github.com/in-toto/attesta
You can create and sign one from a local predicate file using the following commands:

```shell
$ cosign attest -predicate <file> -key cosign.pub <image>
$ cosign attest --predicate <file> --key cosign.pub <image>
```

All of the standard key management systems are supported.
Expand All @@ -308,7 +308,7 @@ Payloads are signed using the DSSE signing spec, defined [here](https://github.c
To verify:

```shell
$ cosign verify-attestation -key cosign.pub <image>
$ cosign verify-attestation --key cosign.pub <image>
```

## Detailed Usage
Expand Down Expand Up @@ -345,7 +345,7 @@ Today, `cosign` has been tested and works against the following registries:

We aim for wide registry support. To `sign` images in registries which do not yet fully support [OCI media types](/~https://github.com/sigstore/cosign/blob/main/SPEC.md#object-types), one may need to use `COSIGN_DOCKER_MEDIA_TYPES` to fall back to legacy equivalents. For example:
```shell
COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign -key cosign.key legacy-registry.example.com/my/image
COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --key cosign.key legacy-registry.example.com/my/image
```

Please help test and file bugs if you see issues!
Expand All @@ -358,8 +358,8 @@ To publish signed artifacts to a Rekor transparency log and verify their existen
set the `COSIGN_EXPERIMENTAL=1` environment variable.

```shell
COSIGN_EXPERIMENTAL=1 cosign sign -key cosign.key dlorenc/demo
COSIGN_EXPERIMENTAL=1 cosign verify -key cosign.pub dlorenc/demo
COSIGN_EXPERIMENTAL=1 cosign sign --key cosign.key dlorenc/demo
COSIGN_EXPERIMENTAL=1 cosign verify --key cosign.pub dlorenc/demo
```

`cosign` defaults to using the public instance of rekor at [rekor.sigstore.dev](https://rekor.sigstore.dev).
Expand Down Expand Up @@ -508,15 +508,15 @@ Digest: sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
Now sign it! Using `cosign` of course:

```shell
$ cosign sign -key cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact@sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
$ cosign sign --key cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact@sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
Enter password for private key:
Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact:sha256-551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef.sig
```

Finally, verify `cosign` with `cosign` again:

```shell
$ cosign verify -key cosign.pub us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact@sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
$ cosign verify --key cosign.pub us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact@sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The claims were present in the transparency log
Expand Down Expand Up @@ -599,17 +599,17 @@ run something like:
```shell
$ TAG=sign-me
$ DGST=$(crane digest dlorenc/demo:$TAG)
$ cosign sign -key cosign.key -a tag=$TAG dlorenc/demo@$DGST
$ cosign sign --key cosign.key -a tag=$TAG dlorenc/demo@$DGST
Enter password for private key:
Pushing signature to: dlorenc/demo:sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.sig
```

Then you can verify that the tag->digest mapping is also covered in the signature, using the `-a` flag to `cosign verify`.
This example verifes that the digest `$TAG` points to (`sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36`)
This example verifies that the digest `$TAG` points to (`sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36`)
has been signed, **and also** that the `$TAG`:

```shell
$ cosign verify -key cosign.pub -a tag=$TAG dlorenc/demo:$TAG | jq .
$ cosign verify --key cosign.pub -a tag=$TAG dlorenc/demo:$TAG | jq .
{
"Critical": {
"Identity": {
Expand Down Expand Up @@ -693,10 +693,10 @@ it to act as an attestation to the **signature(s) themselves**.
Before we sign the signature artifact, we first give it a memorable name so we can find it later.

```shell
$ cosign sign -key cosign.key -a sig=original dlorenc/demo
$ cosign sign --key cosign.key -a sig=original dlorenc/demo
Enter password for private key:
Pushing signature to: dlorenc/demo:sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.sig
$ cosign verify -key cosign.pub dlorenc/demo | jq .
$ cosign verify --key cosign.pub dlorenc/demo | jq .
{
"Critical": {
"Identity": {
Expand All @@ -718,10 +718,10 @@ Now give that signature a memorable name, then sign that:
```shell
$ crane tag $(cosign triangulate dlorenc/demo) mysignature
2021/02/15 20:22:55 dlorenc/demo:mysignature: digest: sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e size: 556
$ cosign sign -key cosign.key -a sig=counter dlorenc/demo:mysignature
$ cosign sign --key cosign.key -a sig=counter dlorenc/demo:mysignature
Enter password for private key:
Pushing signature to: dlorenc/demo:sha256-71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e.sig
$ cosign verify -key cosign.pub dlorenc/demo:mysignature
$ cosign verify --key cosign.pub dlorenc/demo:mysignature
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e"},"Type":"cosign container image signature"},"Optional":{"sig":"counter"}}
```

Expand Down Expand Up @@ -751,5 +751,5 @@ $ crane manifest dlorenc/demo@sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa2

## Security

Should you discover any security issues, please refer to sigstores [security
Should you discover any security issues, please refer to sigstore's [security
process](/~https://github.com/sigstore/community/blob/main/SECURITY.md)
Loading