对harbor仓库镜像打cosign签名_harbor镜像签名

下载cosign命令工具

# binary
wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign-linux-amd64"
mv cosign-linux-amd64 /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
 
# rpm
wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign-2.0.0.x86_64.rpm"
rpm -ivh cosign-2.0.0.x86_64.rpm
 
# dkpg
wget "https://github.com/sigstore/cosign/releases/download/v2.0.0/cosign_2.0.0_amd64.deb"
dpkg -i cosign_2.0.0_amd64.deb

以centos系统为例，放到bin目录下后授予可执行权限便可

$ mv cosign-linux-amd64 /usr/local/bin/cosign
$ chmod +x /usr/local/bin/cosign
$ cosign version

生成密钥对
$ export COSIGN_PASSWORD=你的密码
$ cosign generate-key-pair
Private key written to cosign.key
Public key written to cosign.pub

签名,这边私钥加密，然后公钥解密

//以私钥cosign.key对Harbor镜像签名为例

$ COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --allow-insecure-registry --key cosign.key cjmharbor.com/library/ssh:v1

查看仓库的镜像，确实已经打上cosign签名

验签
//公钥解密
//如果仓库要认证，需先登录

https://192.168.72.160或hosts文件对域名本地映射为https://cjmharbor.com
登录账号密码：admin/Harbor12345
//cosign login 仓库地址 -u 用户名 -p 密码
$ cosign login 192.168.72.160  -u admin -p Harbor12345

//以公钥cosign.pub对Harbor镜像验签为例
$COSIGN_DOCKER_MEDIA_TYPES=1 cosign verify --allow-insecure-registry --key cosign.pub cjmharbor.com/library/ssh:v1

注意：仓库镜像前面不要携带 "https:// " 或  "http:// "