375 lines
8.6 KiB
Markdown
375 lines
8.6 KiB
Markdown
# Cosign Verification Examples
|
|
|
|
This document provides examples for verifying StellaOps DSSE attestations using Sigstore cosign.
|
|
|
|
## Prerequisites
|
|
|
|
### Install Cosign
|
|
|
|
```bash
|
|
# macOS
|
|
brew install cosign
|
|
|
|
# Linux (download latest release)
|
|
curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o cosign
|
|
chmod +x cosign
|
|
sudo mv cosign /usr/local/bin/
|
|
|
|
# Windows (download from releases page)
|
|
# https://github.com/sigstore/cosign/releases
|
|
|
|
# Verify installation
|
|
cosign version
|
|
```
|
|
|
|
### Required Files
|
|
|
|
| File | Description |
|
|
|------|-------------|
|
|
| `attestation.json` | DSSE envelope exported from StellaOps |
|
|
| `public.key` | Public key for keyful verification |
|
|
| `trusted_root.json` | Sigstore TUF root for keyless verification |
|
|
|
|
## Export Attestation from StellaOps
|
|
|
|
```bash
|
|
# Export attestation for a specific artifact
|
|
stellaops attestation export \
|
|
--artifact sha256:abc123... \
|
|
--output attestation.json
|
|
|
|
# Export with certificate chain
|
|
stellaops attestation export \
|
|
--artifact sha256:abc123... \
|
|
--include-certificate-chain \
|
|
--output attestation-bundle.json
|
|
|
|
# Export as Sigstore bundle
|
|
stellaops attestation export \
|
|
--artifact sha256:abc123... \
|
|
--format sigstore-bundle \
|
|
--output attestation.sigstore.json
|
|
```
|
|
|
|
## Keyful Verification (KMS/HSM Keys)
|
|
|
|
### Verify with Public Key
|
|
|
|
```bash
|
|
# Basic verification
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type custom \
|
|
sha256:abc123...
|
|
|
|
# Verify from exported attestation file
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type custom \
|
|
--attestation attestation.json \
|
|
sha256:abc123...
|
|
```
|
|
|
|
### Verify with KMS Key
|
|
|
|
```bash
|
|
# AWS KMS
|
|
cosign verify-attestation \
|
|
--key awskms:///arn:aws:kms:us-east-1:123456789:key/abc-123 \
|
|
--type custom \
|
|
sha256:abc123...
|
|
|
|
# GCP KMS
|
|
cosign verify-attestation \
|
|
--key gcpkms://projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key \
|
|
--type custom \
|
|
sha256:abc123...
|
|
|
|
# Azure Key Vault
|
|
cosign verify-attestation \
|
|
--key azurekms://mykeyvault.vault.azure.net/keys/mykey \
|
|
--type custom \
|
|
sha256:abc123...
|
|
|
|
# HashiCorp Vault
|
|
cosign verify-attestation \
|
|
--key hashivault://transit/keys/my-key \
|
|
--type custom \
|
|
sha256:abc123...
|
|
```
|
|
|
|
## Keyless Verification (Fulcio/OIDC)
|
|
|
|
### Verify with Certificate Identity
|
|
|
|
```bash
|
|
# Verify with issuer and subject
|
|
cosign verify-attestation \
|
|
--certificate-identity "signer@example.com" \
|
|
--certificate-oidc-issuer "https://accounts.google.com" \
|
|
--type custom \
|
|
sha256:abc123...
|
|
|
|
# Verify with identity regex
|
|
cosign verify-attestation \
|
|
--certificate-identity-regexp ".*@stellaops\.io" \
|
|
--certificate-oidc-issuer "https://github.com/login/oauth" \
|
|
--type custom \
|
|
sha256:abc123...
|
|
```
|
|
|
|
### Verify GitHub Actions Workload Identity
|
|
|
|
```bash
|
|
cosign verify-attestation \
|
|
--certificate-identity "https://github.com/org/repo/.github/workflows/build.yml@refs/heads/main" \
|
|
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
|
|
--type custom \
|
|
sha256:abc123...
|
|
```
|
|
|
|
## Verify Specific Predicate Types
|
|
|
|
### StellaOps Attestation Types
|
|
|
|
```bash
|
|
# Verify SBOM attestation
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type "https://spdx.dev/Document" \
|
|
sha256:abc123...
|
|
|
|
# Verify SLSA Provenance
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type "https://slsa.dev/provenance/v1" \
|
|
sha256:abc123...
|
|
|
|
# Verify StellaOps scan results
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type "https://stella-ops.org/attestation/scan-results/v1" \
|
|
sha256:abc123...
|
|
|
|
# Verify StellaOps policy evaluation
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type "https://stella-ops.org/attestation/policy-evaluation/v1" \
|
|
sha256:abc123...
|
|
|
|
# Verify graph root attestation
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type "https://stella-ops.org/attestation/graph-root/v1" \
|
|
sha256:abc123...
|
|
```
|
|
|
|
## Offline Verification
|
|
|
|
### Verify with Cached Bundle
|
|
|
|
```bash
|
|
# Verify using a Sigstore bundle (includes certificate and Rekor entry)
|
|
cosign verify-attestation \
|
|
--bundle attestation.sigstore.json \
|
|
--certificate-identity "signer@example.com" \
|
|
--certificate-oidc-issuer "https://accounts.google.com" \
|
|
sha256:abc123...
|
|
```
|
|
|
|
### Verify with Local TUF Root
|
|
|
|
```bash
|
|
# Initialize TUF root (run once)
|
|
cosign initialize --mirror https://tuf-repo.sigstore.dev --root root.json
|
|
|
|
# Verify using local TUF data
|
|
SIGSTORE_ROOT_FILE=trusted_root.json \
|
|
cosign verify-attestation \
|
|
--certificate-identity "signer@example.com" \
|
|
--certificate-oidc-issuer "https://accounts.google.com" \
|
|
sha256:abc123...
|
|
```
|
|
|
|
### Air-Gapped Verification
|
|
|
|
```bash
|
|
# 1. On connected machine: download required artifacts
|
|
cosign download attestation sha256:abc123... > attestation.json
|
|
cosign download signature sha256:abc123... > signature.sig
|
|
|
|
# 2. Transfer files to air-gapped environment
|
|
|
|
# 3. On air-gapped machine: verify with public key
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--offline \
|
|
--type custom \
|
|
--attestation attestation.json \
|
|
sha256:abc123...
|
|
```
|
|
|
|
## Verify with Policy
|
|
|
|
### CUE Policy
|
|
|
|
```cue
|
|
// policy.cue
|
|
package attestation
|
|
|
|
predicateType: "https://stella-ops.org/attestation/scan-results/v1"
|
|
predicate: {
|
|
severity: *"low" | "medium" | "high" | "critical"
|
|
vulnerabilities: [...{
|
|
id: =~"^CVE-"
|
|
severity: !="critical"
|
|
}]
|
|
}
|
|
```
|
|
|
|
```bash
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type custom \
|
|
--policy policy.cue \
|
|
sha256:abc123...
|
|
```
|
|
|
|
### Rego Policy
|
|
|
|
```rego
|
|
# policy.rego
|
|
package attestation
|
|
|
|
default allow = false
|
|
|
|
allow {
|
|
input.predicateType == "https://stella-ops.org/attestation/policy-evaluation/v1"
|
|
input.predicate.verdict == "PASS"
|
|
input.predicate.score >= 7.0
|
|
}
|
|
```
|
|
|
|
```bash
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type custom \
|
|
--policy policy.rego \
|
|
sha256:abc123...
|
|
```
|
|
|
|
## Multi-Signature Verification
|
|
|
|
```bash
|
|
# Verify that multiple signatures are present
|
|
cosign verify-attestation \
|
|
--key builder.pub \
|
|
--type custom \
|
|
sha256:abc123... && \
|
|
cosign verify-attestation \
|
|
--key witness.pub \
|
|
--type custom \
|
|
sha256:abc123...
|
|
```
|
|
|
|
## Output Formats
|
|
|
|
### JSON Output
|
|
|
|
```bash
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type custom \
|
|
--output-file verification-result.json \
|
|
sha256:abc123...
|
|
```
|
|
|
|
### Text Output with Details
|
|
|
|
```bash
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type custom \
|
|
-v \
|
|
sha256:abc123...
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### Common Errors
|
|
|
|
| Error | Cause | Solution |
|
|
|-------|-------|----------|
|
|
| `no matching attestation found` | No attestation attached to image | Verify attestation was uploaded |
|
|
| `key verification failed` | Wrong key or corrupted signature | Check key matches signer |
|
|
| `certificate expired` | Signing certificate past validity | Use Rekor timestamp verification |
|
|
| `OIDC issuer mismatch` | Wrong issuer in verify command | Check certificate's issuer field |
|
|
| `predicate type mismatch` | Wrong --type argument | Use correct predicate URI |
|
|
|
|
### Debug Commands
|
|
|
|
```bash
|
|
# List all attestations on an image
|
|
cosign tree sha256:abc123...
|
|
|
|
# Download and inspect attestation
|
|
cosign download attestation sha256:abc123... | jq .
|
|
|
|
# Verify with verbose output
|
|
cosign verify-attestation \
|
|
--key public.key \
|
|
--type custom \
|
|
-v \
|
|
sha256:abc123... 2>&1 | tee verify.log
|
|
|
|
# Check certificate chain
|
|
cosign download attestation sha256:abc123... | \
|
|
jq -r '.payload' | base64 -d | jq -r '.subject'
|
|
```
|
|
|
|
### Verify Certificate Details
|
|
|
|
```bash
|
|
# Extract and inspect the signing certificate
|
|
cosign download attestation sha256:abc123... | \
|
|
jq -r '.signatures[0].cert' | base64 -d | \
|
|
openssl x509 -noout -text
|
|
```
|
|
|
|
## Integration with CI/CD
|
|
|
|
### GitHub Actions
|
|
|
|
```yaml
|
|
- name: Verify attestation
|
|
uses: sigstore/cosign-installer@main
|
|
|
|
- name: Verify StellaOps attestation
|
|
run: |
|
|
cosign verify-attestation \
|
|
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/build.yml@${{ github.ref }}" \
|
|
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
|
|
--type "https://stella-ops.org/attestation/scan-results/v1" \
|
|
${{ env.IMAGE_DIGEST }}
|
|
```
|
|
|
|
### GitLab CI
|
|
|
|
```yaml
|
|
verify-attestation:
|
|
image: bitnami/cosign:latest
|
|
script:
|
|
- cosign verify-attestation
|
|
--certificate-identity "https://gitlab.com/${CI_PROJECT_PATH}/.gitlab-ci.yml@${CI_COMMIT_REF_NAME}"
|
|
--certificate-oidc-issuer "https://gitlab.com"
|
|
--type "https://stella-ops.org/attestation/scan-results/v1"
|
|
${IMAGE_DIGEST}
|
|
```
|
|
|
|
## Related Documentation
|
|
|
|
- [DSSE Round-Trip Verification](./dsse-roundtrip-verification.md)
|
|
- [Transparency Log Integration](./transparency.md)
|
|
- [Air-Gap Operation](./airgap.md)
|
|
- [Sigstore Documentation](https://docs.sigstore.dev)
|