Skip to content

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#2

Open
karmihkr wants to merge 1 commit into
mainfrom
feature/lab8
Open

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#2
karmihkr wants to merge 1 commit into
mainfrom
feature/lab8

Conversation

@karmihkr

@karmihkr karmihkr commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Goal

Sign the Juice Shop image with Cosign, attach SBOM and provenance attestations, and sign a release blob to mitigate Codecov-2021-style tampering.

Changes

  • Local OCI registry + signed Juice Shop image
  • SBOM (CycloneDX) and SLSA provenance attestations attached to the image
  • Signed + verified release blob demo (bonus)

Testing

cosign sign --key cosign.key --allow-http-registry $DIGEST
cosign verify --key cosign.pub --insecure-ignore-tlog --allow-http-registry $DIGEST # PASSED
cosign verify (tampered digest) # FAILED as expected — no signatures found
cosign attest --type cyclonedx --predicate juice-shop.cdx.json ...
cosign verify-attestation --type cyclonedx ... # component count matches Lab 4 (1846)
cosign attest --type slsaprovenance --predicate predicate-only.json ...
cosign sign-blob / cosign verify-blob # Verified OK on original, failed on tampered

Full output and analysis in submissions/lab8.md.

Artifacts & Screenshots

  • submissions/lab8.md
  • labs/lab8/keys/cosign.pub

Checklist

  • Title is clear (feat(labN): style)
  • No secrets/large temp files committed
  • Submission file at submissions/lab8.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant