Skip to content

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1409

Open
ashuno wants to merge 1 commit into
inno-devops-labs:mainfrom
ashuno:feature/lab8
Open

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1409
ashuno wants to merge 1 commit into
inno-devops-labs:mainfrom
ashuno:feature/lab8

Conversation

@ashuno

@ashuno ashuno commented Jul 3, 2026

Copy link
Copy Markdown

Summary

Lab 8 β€” Supply Chain Security: Cosign keyed signing of a digest-pinned Juice Shop image in a local OCI registry, CycloneDX SBOM + SLSA provenance attestations, and blob signing (Codecov 2021 mitigation).

  • Task 1: Distribution v3 registry on localhost:5000; Juice Shop v20.0.0 pushed and digest captured (localhost:5000/juice-shop@sha256:8c76bce9...); Cosign keypair generated; image signed and verified; Alpine re-tag tamper demo fails (no signatures found); original digest still verifies.
  • Task 2: Lab 4 CycloneDX SBOM attached via cosign attest --type cyclonedx; component count matches source (3069, empty diff); minimal SLSA provenance v0.2 predicate attached and verified (builder.id, buildType).
  • Bonus: cosign sign-blob on my-tool.tar.gz; cosign verify-blob β†’ Verified OK; tampered blob fails (invalid signature when validating ASN.1 encoded signature).
  • Standards (Lab 3): .pre-commit-config.yaml + .gitignore included; gitleaks blocks cosign.key on forced git add -f; only cosign.pub committed.

Checklist

  • Task 1 β€” Image signed + tamper demo (verify pass + tamper fail + sanity recheck)
  • Task 2 β€” SBOM + provenance attestations attached and verified
  • Bonus β€” Blob signed + verify-blob success + tamper failure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant