Sign an existing pod

Back to signature verification policy

  1. Log into podman. This is necessary as cosign will push signatures into your repo.

  2. Install cosign

    mkdir -p cosign
cd cosign

curl -O -L "https://github.com/sigstore/cosign/releases/download/v2.6.2/cosign-linux-amd64"

mv cosign-linux-amd64 cosign
chmod +x cosign

  3. Create a cosign keypair

    ./cosign generate-key-pair

  4. Pull an existing image or create it yourself. Here we will pull it

    SOURCE_IMAGE=<YOUR_IMAGE_HERE>
podman pull $SOURCE_IMAGE

  5. Optional: If you don’t have access to the source image repository, make a copy into your own repo by pushing it. This is needed because cosign pushes the signature into the repo. If you don’t have access to that repo (like in this example) you won’t be able to push the signature.

    DEST_IMAGE=<YOUR_IMAGE_HERE>

podman tag $SOURCE_IMAGE $DEST_IMAGE

podman push $DEST_IMAGE

  6. Delete existing signature, if there is

    ./cosign clean $DEST_IMAGE

  7. Sign the new image

    ./cosign sign --key cosign.key $DEST_IMAGE

  8. Verify the signature is there

    ./cosign verify --key cosign.pub $DEST_IMAGE

Back to signature verification policy