热门标签
热门文章
- 1数字 IC_数字ic与模拟ic配合使用
- 2HTTP ERROR 502是怎么回事?
- 3java产生随机数方法_java随机产生
- 4ws搭建websocket服务器_new websocket.server
- 5深度剖析:Flink 检查点机制的工作原理与优化策略_flink的检查点是如何产生的
- 6SecureCRT 连接vm虚拟机时,hostname的ip地址连接不上的解决方案_securecrt8.3快速连接hostname
- 7【LInux学习】Linux项目自动化构建工具-make/Makefile_linux make工具
- 8百度智能云.图像特效:图像风格转换&黑白图像上色_百度智能云黑白图像
- 9Electron Forge + Vite + Vue3 + Ts 搭建 Electron 项目到应用打包_vue3+ts+electron开发一个个模块
- 10联邦学习研究综述【联邦学习】_联邦学习通信效率研究综述
当前位置: article > 正文
使用 Cosign 来对极狐GitLab 镜像进行签名_镜像签名
作者:繁依Fanyi0 | 2024-08-04 05:17:08
赞
踩
镜像签名
目录
镜像签名能够防止镜像被篡改,是一种保护镜像安全的手段。
关于 Cosign
cosign 是 sigstore 项目的一部分,也是一个开源项目,主要用来对 OCI 镜像进行签名和验证,从而让签名成为一种无形的基础设施。cosign 目前支持以下几种签名方式:
- 硬件和 KMS 签名
- 使用自己的 PKI
- 免费的 OIDC PKI
- 内置的二进制透明和时间戳服务
Cosign 的安装
cosign 的安装有多种形式,可以根据不同的 OS 来进行安装,以 Ubuntu 20.04 为例,执行如下命令即可完成 cosign 的安装:
- $ wget "https://github.com/sigstore/cosign/releases/download/v1.6.0/cosign_1.6.0_amd64.deb"
-
- $ dpkg -i cosign_1.6.0_amd64.deb
- Selecting previously unselected package cosign.
- (Reading database ... 136644 files and directories currently installed.)
- Preparing to unpack cosign_1.6.0_amd64.deb ...
- Unpacking cosign (1.6.0) ...
- Setting up cosign (1.6.0) ...
-
- $ mv /usr/local/bin/cosign-linux-amd64 /usr/local/bin/cosign
用 version 命令查看是否安装成功:
- $ cosign version
- ____ ___ ____ ___ ____ _ _
- / ___| / _ \ / ___| |_ _| / ___| | \ | |
- | | | | | | \___ \ | | | | _ | \| |
- | |___ | |_| | ___) | | | | |_| | | |\ |
- \____| \___/ |____/ |___| \____| |_| \_|
- cosign
-
- GitVersion: v1.6.0
- GitCommit: 4b2c3c0c8ee97f31b9dac3859b40e0a48b8648ee
- GitTreeState: clean
- BuildDate: '2022-03-03T17:59:06Z'
- GoVersion: go1.17.7
- Compiler: gc
- Platform: linux/amd64
可以看到 cosign 已经安装成功。
使用 Cosgin 对极狐GitLab 镜像进行签名
用 cosgin 对极狐GitLab 镜像进行签名大体分三个步骤:
- 生成 keypair
- 用 cosign.key 对需要签名的镜像进行签名
- 用 cosign.pub 对签名进行验证
所以先用如下命令生成 cosign keypair,在这个过程中需要手动输入 cosign password,如果将 cosign password 以环境变量(COSIGN_PASSWORD)的形式注入,则无需手动输入 cosign password:
- $ export COSIGN_PASSWORD=cosign_password
- $ cosign generate-key-pair
- Private key written to cosign.key
- Public key written to cosign.pub
在当前目录下可以看到 keypair
- $ ls -ltr
- total 8
- -rw-r--r-- 1 root root 178 May 31 22:32 cosign.pub
- -rw------- 1 root root 649 May 31 22:32 cosign.key
可以分别查看两者的内容:
- $ cat cosign.pub
- -----BEGIN PUBLIC KEY-----
- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqgrSWr79vqEYM/fLXYDwwFSnKwWJ
- ffRvaaY5i4pl9JJvcMw2TDJB4jo5dXTeAAWeR3mp4wg28pXfsgl8JN3AZg==
- -----END PUBLIC KEY-----
-
- $ cat cosign.key
- -----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
- eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
- OCwicCI6MX0sInNhbHQiOiJ3dmtocDZuVHlZUmZVYkQxWTgxZlA1YU81Y1B6bGp4
- QWhSNTh6eUdTTTdVPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
- Iiwibm9uY2UiOiJ1YUU5NmUrY2d5NHhZR1ZZU3FMek8zeGhieERyYlRKRCJ9LCJj
- aXBoZXJ0ZXh0IjoiSzFYWGdVdGdQbTFzNEpPcExGc2VMcTY3aUMrUTRkUWhoR1ZU
- R0ZYMG4wVVprczVDeXh4VElNRkpteDczMjlCVzBQZVBmU1NaZFBMaXRGR1V3b0RD
- SXdTOW1yc3dyUnVEaWpybmhjYUQvNGQyaDQzOGIzS1o4Umx2TzFXMld5LzN4TWNR
- NGlUUnBISSs2YnFkcE9LaWF6SWMwMHlLeVZBZlVrS1hJbXhqeWFoZ2ZBbnRrVUZ1
- ZnI4TVpiWkdhM2xBRHo1WE9ubktpS2FlTlE9PSJ9
- -----END ENCRYPTED COSIGN PRIVATE KEY-----
接下来就可以对极狐GitLab的镜像进行签名了,在上一篇文章用 Tekton 来构建镜像并推送到极狐GitLab 私有仓库,已经使用 Tekton 构建了一个镜像并推送到了极狐GitLab镜像仓库,镜像名称为 registry.jihulab.com/keyboard-man/tekton-image:v0.0.1。接着就用 cosgin 命令对此镜像进行签名:
- $ cosign sign --key cosign.key registry.jihulab.com/keyboard-man/tekton-image:v0.0.1
- Pushing signature to: registry.jihulab.com/keyboard-man/tekton-image
这是再次查看镜像仓库,可以发现镜像仓库里面多了一些签名信息:
再用 cosign 对签名镜像进行验证:
- $ cosign verify --key cosign.pub registry.jihulab.com/keyboard-man/tekton-image:v0.0.1 | jq .
-
- Verification for registry.jihulab.com/keyboard-man/tekton-image:v0.0.1 --
- The following checks were performed on each of these signatures:
- - The cosign claims were validated
- - The signatures were verified against the specified public key
- [
- {
- "critical": {
- "identity": {
- "docker-reference": "registry.jihulab.com/keyboard-man/tekton-image"
- },
- "image": {
- "docker-manifest-digest": "sha256:8abb07ae291032e90df63c7e35f8a30a2b1ae152c566984d55d4d0024f70490c"
- },
- "type": "cosign container image signature"
- },
- "optional": null
- }
- ]
可以看到镜像通过了签名验证。
如果将代码进行修改之后,再次构建镜像时,使用同样的 tag(v0.0.1) 推送至镜像仓库,则在签名验证时会提示错误:
- $ cosign verify --key cosign.pub registry.jihulab.com/keyboard-man/tekton-image:v0.0.1
- Error: no matching signatures:
-
- main.go:46: error during command execution: no matching signatures:
这也反映了镜像签名的重要性:能够防止镜像被篡改。
将镜像签名集成到极狐GitLab CI/CD 中
可以很容易的将上述镜像签名流程嵌入到极狐GitLab CI/CD 中,cosign 的 keypair 以及 COSIGN_PASSWORD 都是以变量的形式来存储的:
如下代码即可完成镜像签名和验证:
- stages:
- - singature
- - verfication
-
- image-singature:
- stage: singature
- tags:
- - cosign
- image:
- name: dllhb/cosign:1.0.0
- entrypoint: [""]
- before_script:
- - mkdir ~/.docker
- - cat "$DOCKER_CRED_FILE" > ~/.docker/config.json
- - cat "$COSIGN_KEY" > /tmp/cosign.key
- - export COSIGN_PASSWORD="$COSIGN_PASSWORD"
- script:
- - cosign sign --key /tmp/cosign.key $CI_REGISTRY_IMAGE:v0.0.2
-
- image-verfication:
- stage: verfication
- tags:
- - cosign
- image:
- name: dllhb/cosign:1.0.0
- entrypoint: [""]
- before_script:
- - cat "$COSIGN_PUB" > /tmp/cosign.pub
- - cat /tmp/cosign.pub
- - export COSIGN_PASSWORD="$COSIGN_PASSWORD"
- - echo $COSIGN_PASSWORD
- script:
- - cosign verify --key /tmp/cosign.pub $CI_REGISTRY_IMAGE:v0.0.2
如果将镜像构建、镜像扫描再集成进来,则可以构建容器镜像的双重安全防护体系,代码如下:
- include:
- - template: Security/Container-Scanning.gitlab-ci.yml
-
-
- stages:
- - build
- - scan
- - singature
- - verfication
-
-
- build:
- stage: build
- image:
- name: docker:20.10.7-dind
- tags:
- - cosign
- script:
- - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- - docker build -t $CI_REGISTRY_IMAGE:v0.0.2 .
- - docker push $CI_REGISTRY_IMAGE:v0.0.2
-
- container_scanning:
- stage: scan
- variables:
- DOCKER_IMAGE: $CI_REGISTRY_IMAGE:v0.0.2
- allow_failure: false
- artifacts:
- reports:
- container_scanning: gl-container-scanning-report.json
- paths: [gl-container-scanning-report.json]
-
- image-singature:
- stage: singature
- services:
- - docker:20.10.7-dind
- tags:
- - cosign
- image:
- name: dllhb/cosign:1.0.0
- entrypoint: [""]
- before_script:
- - mkdir ~/.docker
- - cat "$DOCKER_CRED_FILE" > ~/.docker/config.json
- - cat "$COSIGN_KEY" > /tmp/cosign.key
- - export COSIGN_PASSWORD="$COSIGN_PASSWORD"
- script:
- - cosign sign --key /tmp/cosign.key $CI_REGISTRY_IMAGE:v0.0.2
-
- image-verfication:
- stage: verfication
- tags:
- - cosign
- image:
- name: dllhb/cosign:1.0.0
- entrypoint: [""]
- before_script:
- - cat "$COSIGN_PUB" > /tmp/cosign.pub
- - cat /tmp/cosign.pub
- - export COSIGN_PASSWORD="$COSIGN_PASSWORD"
- - echo $COSIGN_PASSWORD
- script:
- - cosign verify --key /tmp/cosign.pub $CI_REGISTRY_IMAGE:v0.0.2
Pipeline 的构建结果如下:
上述流程就是用 cosign 来对极狐GitLab 镜像进行签名和验证的实践流程。
声明:本文内容由网友自发贡献,转载请注明出处:【wpsshop博客】
推荐阅读
相关标签
