Skip to content

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1401

Open
ratteperk wants to merge 4 commits into
inno-devops-labs:mainfrom
ratteperk:feature/lab8
Open

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1401
ratteperk wants to merge 4 commits into
inno-devops-labs:mainfrom
ratteperk:feature/lab8

Conversation

@ratteperk

Copy link
Copy Markdown

Goal

Sign the Juice Shop image with Cosign in a local registry, attach the CycloneDX SBOM from Lab 4 as an attestation, and (bonus) sign a tarball using cosign sign-blob to mitigate the Codecov 2021 attack class.


Changes

  • labs/lab8/keys/cosign.pub β€” public key for verifying the signatures/attestations (private key stays local, gitignored/gitleaks-blocked)
  • submissions/lab8.md β€” full write-up:
    • Task 1: local registry:3 instance, image pushed and signed by digest, tamper demo (re-tagged alpine under the same name β€” verify correctly fails), sanity recheck on the original digest
    • Task 2: CycloneDX SBOM attestation (matches Lab 4's SBOM exactly, diff is empty) + SLSA provenance attestation, both verified
    • Bonus: cosign sign-blob on a tarball, verify-blob passes on the original and fails on a tampered copy

Testing

# Task 1
docker run -d --name lab8-registry -p 127.0.0.1:5000:5000 registry:3
docker push localhost:5000/juice-shop:v20.0.0
cosign sign --key labs/lab8/keys/cosign.key --yes "$DIGEST"
cosign verify --key labs/lab8/keys/cosign.pub --insecure-ignore-tlog "$DIGEST"
# β†’ Verified, exit 0; tampered re-tag β†’ "no signatures found", exit 10; original still verifies after

# Task 2
cosign attest --key labs/lab8/keys/cosign.key --type cyclonedx --predicate labs/lab4/juice-shop.cdx.json "$DIGEST"
cosign attest --key labs/lab8/keys/cosign.key --type slsaprovenance --predicate /tmp/predicate-only.json "$DIGEST"
cosign verify-attestation --type cyclonedx "$DIGEST"    # component count matches Lab 4 (3069), diff empty
cosign verify-attestation --type slsaprovenance "$DIGEST"

# Bonus
cosign sign-blob --key labs/lab8/keys/cosign.key --bundle my-tool.tar.gz.bundle my-tool.tar.gz
cosign verify-blob --key cosign.pub --bundle my-tool.tar.gz.bundle my-tool.tar.gz   # β†’ Verified OK
# tampered copy β†’ "invalid signature", exit 1

Artifacts & Screenshots


  • Task 1 β€” Image signed + tamper demo (both shown)
  • Task 2 β€” SBOM + provenance attestations attached and verified
  • Bonus β€” Blob signed + verify-blob success + tamper failure

@ratteperk ratteperk changed the title Feature/lab8 feat(lab8): cosign sign + SBOM/provenance attestations + blob signing Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant