Feature/lab8#1328
Open
Lisoon22 wants to merge 7 commits into
Open
Conversation
Feature/lab1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Complete Lab 8 by signing an immutable Juice Shop image digest with Cosign, demonstrating that a substituted image cannot be verified, attaching SBOM and provenance attestations, and implementing signed release-blob verification.
Changes
Added the public Cosign verification key:
labs/lab8/keys/cosign.pubStarted a local OCI Distribution registry on
localhost:5000.Pushed Juice Shop v20.0.0 into the local registry.
Resolved the immutable manifest digest directly from the Registry HTTP API using the
Docker-Content-Digestresponse header.Signed the registry-resident immutable digest with Cosign v3.
Verified the original image signature using the public key.
Pushed an unrelated Alpine image under a deceptive Juice Shop tag.
Confirmed that the substituted image digest did not have a valid Juice Shop signature.
Reverified the original immutable digest successfully.
Attached and verified a CycloneDX SBOM attestation.
Extracted the verified SBOM predicate and compared it with the source SBOM.
Attached and verified a minimal SLSA provenance attestation.
Added the bonus blob-signing demonstration:
Added
submissions/lab8.mdwith all command output and security analysis.Excluded the private Cosign key and regenerable result files from Git.
Testing
The full workflow was executed with:
The registry digest was resolved through:
curl -fsS \ -D - \ -o /dev/null \ -H 'Accept: application/vnd.oci.image.index.v1+json, application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json' \ http://127.0.0.1:5000/v2/juice-shop/manifests/v20.0.0The original signed image was verified with the committed public key.
The substituted image was tested separately and correctly failed verification because it resolved to a different immutable digest without a matching signature.
The SBOM attestation was verified and decoded into:
The provenance attestation was verified and included:
The bonus release archive was verified before modification and rejected after additional bytes were appended.
Artifacts & Screenshots
Committed:
labs/lab8/keys/cosign.pubsubmissions/lab8.mdGenerated locally but intentionally not committed:
labs/lab8/keys/cosign.keylabs/lab8/results/labs/lab8/.cosign-home/Checklist
submissions/lab8.mdLab Checklist