Skip to main content

Signature

Signing Docker images using tools such as "cosign" is an essential practice to ensure the integrity and authenticity of images used in development, test and production environments. By signing a Docker image, an additional layer of security is added that allows SecDevOps teams to verify that the image has not been tampered with since its creation and that it comes from a trusted source.

Features​

  1. Integrity and authenticity: The Docker image signature allows you to verify that an image has not been modified and that it comes from the expected source. This helps prevent the execution of compromised or maliciously modified images.

  2. Verification of trusted source: With "cosign", cryptographic signature keys can be used to verify that the image comes from a trusted source and has not been tampered with during distribution.

  3. Protection against attacks and vulnerabilities: By verifying the signature of an image before deployment, the risk of deploying images with known vulnerabilities or malware is reduced.

  4. Compliance and auditing: Docker image signing is a best practice to comply with regulations and security standards, as it provides a control and audit trail of the images used in the development cycle.

  5. Integration into CI/CD pipelines: cosign and other image signing tools can be easily integrated into CI/CD pipelines to automate image signing and verification during the build and deployment process.

  6. Container registry support: These tools support multiple container registries, allowing you to sign and verify images in environments such as Docker Hub, Google Container Registry, and others.

Integration with Gitlab​

To be able to sign the containers in the CI/CD the first thing to do is to create a pair of rsa keys for signing, you have to leave the keys blank, since there is no way to enter the keys.

$ cosign generate-key-pair
Enter password for private key:
Enter again:
Private key written to cosign.key
Public key written to cosign.pub
.gitlab-ci.yml
docker_sign:
  stage: sign_image
  dependencies: ["docker_push"]
  variables:
    GIT_STRATEGY: none
    DOCKER_HOST: tcp://docker:2375
    DOCKER_TLS_CERTDIR: ""
  image: docker:24.0.7
  services:
    - docker:24.0.7-dind
  before_script:
    - apk add --update cosign curl bash
    - curl -s https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer | bash
  script:
    - echo "$DOCKER_REGISTRY_PASS" | docker login -u "$DOCKER_REGISTRY_USER" --password-stdin $DOCKER_REGISTRY_URL
    - cosign sign --key .secure_files/cosign.key -y $DOCKER_REGISTRY_URL/osdo/osdo-app@${DIGEST}