Sign an existing pod

Back to signature verification policy

  1. Log into podman. This is necessary as cosign will push signatures into your repo.

  2. Install cosign

    mkdir -p cosign
cd cosign

curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"

mv cosign-linux-amd64 cosign
chmod +x cosign

  3. Create a cosign keypair

    ./cosign generate-key-pair

  4. Pull an existing pod or create it yourself. Here we will pull it

    podman pull quay.io/confidential-devhub/signed-hello-openshift

  5. Optional: Make a copy for your own repo, push it. This is needed because cosign pushes the signature into the repo. If you don’t have access to that repo (like in this example) you won’t be able to push the signature in ghcr.io/confidential-containers/test-container-image-rs.

    YOUR_REPO=write/your/repo:here

podman tag quay.io/confidential-devhub/signed-hello-openshift $YOUR_REPO

podman push $YOUR_REPO

  6. Delete existing signature, if there is

    ./cosign clean $YOUR_REPO

  7. Sign the new image

    ./cosign sign --key cosign.key quay.io/eesposit/cosigned-img:latest

  8. Verify the signature is there

    ./cosign verify --key cosign.pub quay.io/eesposit/cosigned-img:latest

Back to signature verification policy