Skip to content

feat(lab8): cosign image signing + SBOM attestation + blob signing#1402

Open
ruslanglvv wants to merge 2 commits into
inno-devops-labs:mainfrom
ruslanglvv:feature/lab8
Open

feat(lab8): cosign image signing + SBOM attestation + blob signing#1402
ruslanglvv wants to merge 2 commits into
inno-devops-labs:mainfrom
ruslanglvv:feature/lab8

Conversation

@ruslanglvv

Copy link
Copy Markdown

Lab 8 submission: signed and verified the Juice Shop image with Cosign against
a local registry, attached a CycloneDX SBOM as an in-toto attestation, and
signed an arbitrary blob artifact as a bonus. Full writeup in submissions/lab8.md.

  • Task 1 — Sign/verify image digest with Cosign, tamper demo (retag with unrelated image, verify fails)
  • Task 2 — SBOM attestation (cyclonedx type), verify + extract, matches source SBOM (905 components)
  • Bonus — sign-blob/verify-blob on a text artifact, tamper demo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant