Skip to content

Feature/lab8#1328

Open
Lisoon22 wants to merge 7 commits into
inno-devops-labs:mainfrom
Lisoon22:feature/lab8
Open

Feature/lab8#1328
Lisoon22 wants to merge 7 commits into
inno-devops-labs:mainfrom
Lisoon22:feature/lab8

Conversation

@Lisoon22

@Lisoon22 Lisoon22 commented Jul 2, 2026

Copy link
Copy Markdown

Goal

Complete Lab 8 by signing an immutable Juice Shop image digest with Cosign, demonstrating that a substituted image cannot be verified, attaching SBOM and provenance attestations, and implementing signed release-blob verification.

Changes

  • Added the public Cosign verification key:

    • labs/lab8/keys/cosign.pub
  • Started a local OCI Distribution registry on localhost:5000.

  • Pushed Juice Shop v20.0.0 into the local registry.

  • Resolved the immutable manifest digest directly from the Registry HTTP API using the Docker-Content-Digest response header.

  • Signed the registry-resident immutable digest with Cosign v3.

  • Verified the original image signature using the public key.

  • Pushed an unrelated Alpine image under a deceptive Juice Shop tag.

  • Confirmed that the substituted image digest did not have a valid Juice Shop signature.

  • Reverified the original immutable digest successfully.

  • Attached and verified a CycloneDX SBOM attestation.

  • Extracted the verified SBOM predicate and compared it with the source SBOM.

  • Attached and verified a minimal SLSA provenance attestation.

  • Added the bonus blob-signing demonstration:

    • signed a release archive;
    • verified the original archive;
    • modified the archive;
    • confirmed that the modified blob failed verification.
  • Added submissions/lab8.md with all command output and security analysis.

  • Excluded the private Cosign key and regenerable result files from Git.

Testing

The full workflow was executed with:

./scripts/lab8_install_arch.sh
sudo systemctl start docker
./scripts/lab8_run_all.sh

The registry digest was resolved through:

curl -fsS \
  -D - \
  -o /dev/null \
  -H 'Accept: application/vnd.oci.image.index.v1+json, application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json' \
  http://127.0.0.1:5000/v2/juice-shop/manifests/v20.0.0

The original signed image was verified with the committed public key.

The substituted image was tested separately and correctly failed verification because it resolved to a different immutable digest without a matching signature.

The SBOM attestation was verified and decoded into:

labs/lab8/results/sbom-from-attestation.json

The provenance attestation was verified and included:

  • an explicit builder ID;
  • a SLSA provenance build type;
  • source repository and commit information;
  • build parameters and materials.

The bonus release archive was verified before modification and rejected after additional bytes were appended.

Artifacts & Screenshots

Committed:

  • labs/lab8/keys/cosign.pub
  • submissions/lab8.md

Generated locally but intentionally not committed:

  • labs/lab8/keys/cosign.key
  • labs/lab8/results/
  • labs/lab8/.cosign-home/
  • local OCI registry storage;
  • generated signatures, bundles, and decoded predicates.

Checklist

  • PR title clearly describes the Lab 8 changes
  • Only the public Cosign key was committed
  • The private Cosign key was excluded
  • Regenerable signing and verification evidence was excluded
  • Submission exists at submissions/lab8.md
  • Commit is SSH-signed

Lab Checklist

  • Task 1 β€” local OCI registry started
  • Task 1 β€” Juice Shop image pushed successfully
  • Task 1 β€” registry-resident immutable digest signed
  • Task 1 β€” original digest verification succeeded
  • Task 1 β€” substituted image verification failed correctly
  • Task 1 β€” original digest succeeded again after the negative test
  • Task 2 β€” CycloneDX SBOM attestation attached
  • Task 2 β€” SBOM attestation verified and decoded
  • Task 2 β€” SLSA provenance attestation attached and verified
  • Bonus β€” release blob signed with a Cosign bundle
  • Bonus β€” original blob verification succeeded
  • Bonus β€” modified blob verification failed correctly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant