Skip to content

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1313

Open
JoraXD wants to merge 7 commits into
inno-devops-labs:mainfrom
JoraXD:feature/lab8
Open

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1313
JoraXD wants to merge 7 commits into
inno-devops-labs:mainfrom
JoraXD:feature/lab8

Conversation

@JoraXD

@JoraXD JoraXD commented Jul 2, 2026

Copy link
Copy Markdown

Goal

Complete Lab 8 supply-chain security work with Cosign image signing, tamper verification, SBOM/provenance attestations, and blob signing.

Changes

  • Added submissions/lab8.md with Cosign signing evidence, verification outputs, tamper demo, SBOM/provenance attestation proof, and blob signing proof
  • Added labs/lab8/keys/cosign.pub as the public verification key
  • Kept private key and generated scan/signing outputs out of git via .gitignore

Testing

  • Started local registry on 127.0.0.1:5000
  • Pushed Juice Shop image to local registry
  • Signed image digest with Cosign:
    • 127.0.0.1:5000/juice-shop@sha256:cbdfc00de875926f20ff603fac73c5b68577e37680cf2e0c324adda42ffc1113
  • Verified original image signature successfully
  • Pushed tampered Alpine image under a similar Juice Shop tag
  • Verified tampered digest fails correctly:
    • Error: no signatures found
  • Verified original digest still succeeds after tamper demo
  • Attached and verified CycloneDX SBOM attestation
    • Component count matched: 3068
  • Attached and verified SLSA provenance attestation
    • Builder ID: https://localhost/lab8-student
    • buildType: https://example.com/lab8/local-build
  • Signed and verified release blob:
    • Verified OK
  • Verified tampered blob fails correctly:
    • invalid signature
  • Ran pre-commit on PR files:
    • pre-commit run --files submissions/lab8.md labs/lab8/keys/cosign.pub
    • Passed
  • Ran whitespace validation:
    • git diff --check -- submissions/lab8.md labs/lab8/keys/cosign.pub
    • Passed
  • Ran secret-pattern scan on PR files
    • No matches

Artifacts & Screenshots

  • submissions/lab8.md
  • labs/lab8/keys/cosign.pub

  • Title is clear (feat/labN): <topic> style)
  • No secrets/large temp files committed
  • Submission file at submissions/labN.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant