Skip to content

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1404

Open
Muratich wants to merge 4 commits into
inno-devops-labs:mainfrom
Muratich:feature/lab8
Open

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1404
Muratich wants to merge 4 commits into
inno-devops-labs:mainfrom
Muratich:feature/lab8

Conversation

@Muratich

@Muratich Muratich commented Jul 3, 2026

Copy link
Copy Markdown

Goal

Lab 8: sign the Juice Shop image with Cosign in a local registry, attach SBOM and provenance attestations, and demonstrate blob signing with cosign sign-blob.

Changes

  • Added / updated:
    • submissions/lab8.md
    • labs/lab8/keys/cosign.pub
  • Other changes:
    • Task 1: local registry, image signing by digest, tamper demo (verify pass/fail)
    • Task 2: CycloneDX SBOM attestation + SLSA provenance attestation
    • Bonus: my-tool.tar.gz signed with cosign sign-blob, verify-blob pass + tamper fail

Testing

  • Commands run:
    • docker run -d --name lab8-registry -p 127.0.0.1:5000:5000 registry:3
    • docker push localhost:5000/juice-shop:v20.0.0
    • cosign sign --key labs/lab8/keys/cosign.key --allow-insecure-registry --new-bundle-format=false --use-signing-config=false --tlog-upload=false --yes $DIGEST
    • cosign verify --key labs/lab8/keys/cosign.pub --insecure-ignore-tlog --allow-insecure-registry $DIGEST
    • cosign verify --key labs/lab8/keys/cosign.pub --insecure-ignore-tlog --allow-insecure-registry $TAMPERED_DIGEST
    • cosign attest --type cyclonedx --predicate labs/lab4/juice-shop.cdx.json $DIGEST
    • cosign attest --type slsaprovenance --predicate labs/lab8/predicate-only.json $DIGEST
    • cosign sign-blob --key labs/lab8/keys/cosign.key --bundle labs/lab8/results/my-tool.tar.gz.bundle labs/lab8/results/my-tool.tar.gz
    • cosign verify-blob --key labs/lab8/keys/cosign.pub --bundle my-tool.tar.gz.bundle my-tool.tar.gz
  • Observed output:
    • Pushing signature to: localhost:5000/juice-shop
    • Original digest verify: The signatures were verified against the specified public key
    • Tampered digest verify: Error: no signatures found
    • SBOM component count: 1846 (matches Lab 4)
    • Blob verify: Verified OK
    • Tampered blob verify: Error: invalid signature when validating ASN.1 encoded signature

Artifacts & Screenshots

  • submissions/lab8.md
  • labs/lab8/keys/cosign.pub
  • Screenshots / links:
    • Verification outputs saved in submissions/lab8.md (Task 1, Task 2, Bonus)

Checklist

  • Title is clear (feat(labN): <topic> style)
  • No secrets or large temp files are committed
  • Submission file at submissions/labN.md exists
  • Task 1 — Image signed + tamper demo (both shown)
  • Task 2 — SBOM + provenance attestations attached and verified
  • Bonus — Blob signed + verify-blob success + tamper failure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant