Skip to content

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1322

Open
Slash228 wants to merge 1 commit into
inno-devops-labs:mainfrom
Slash228:feature/lab8
Open

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#1322
Slash228 wants to merge 1 commit into
inno-devops-labs:mainfrom
Slash228:feature/lab8

Conversation

@Slash228

@Slash228 Slash228 commented Jul 2, 2026

Copy link
Copy Markdown

Task 1 — Sign + Tamper (6 pts)

  • registry:3 on 127.0.0.1:5001, Juice Shop pushed, digest captured
  • cosign sign (keyed, --tlog-upload=false) + verify PASS on digest
  • tamper: alpine re-tagged as juice-shop → verify FAILS ("no signatures found")
  • original digest still verifies (digest-binding, not tag)

Task 2 — Attestations (4 pts)

  • CycloneDX SBOM (Lab 4) attached via cosign attest; verify-attestation PASS
  • extracted predicate == Lab 4 SBOM (component diff empty)
  • SLSA provenance predicate attached + verified

Bonus — Blob signing (2 pts)

  • cosign sign-blob + bundle; verify-blob "Verified OK"
  • tampered blob → "invalid signature" (Codecov 2021 mitigation)

Private key labs/lab8/keys/cosign.key is gitignored (not committed).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant