Home
Unchained
Open Source Blog

New Chainguard Academy tutorial: Cosign the manual way

Eddie Zaneski, Staff OSS Engineer

If you’re the type of person that needs to understand the ins and outs of tools, you’re in good company. I have always wanted to know what's going on under the hood. Not necessarily at the syscall level (though this is fun!), but deep enough for it not to be magic when things break. With more vulnerabilities and attacks popping up all over the software supply chain, it is clear that we need to bring more security practices into our software lifecycles. Unfortunately, a lot of tools are challenging or frustrating to implement. When I first used Cosign, the software artifact signing CLI from the Sigstore project, I was amazed at how painless signing and verifying could be. In just three commands in Cosign, you can create a public/private key pair, sign the text file, upload it to the Rekor transparency log and verify the signature of the message.

In a new Chainguard Academy tutorial released today, we dive deep into how to unpack Cosign the manual way. The tutorial starts simple and explores Cosign’s blob signing capabilities.


"Beware of the Blob" promotional movie poster.

Blobs? Not that Blob–the 1958 drive-in smash (though it inspired the name), but an arbitrary collection of raw data like a picture or the executable binary that your source code produces. Cosign is capable of signing and verifying blobs. Spoiler: in the tutorial, we’ll be signing a spooky message.

Here’s a quick look at what you can expect to learn in the tutorial:

  • An overview of the tools you’ll need installed from your package manage of choice

  • How to generate a key pair using the RSA algorithm

  • Using keys to sign blob messages using SHA-256

  • How to upload signatures to the Rekor transparency log

  • How to trust, but also verify your blob message to your signature

If this post and our new Chainguard Academy tutorial has you craving for more you can watch this SigstoreCon talk on the Life of a Sigstore Signature. I'm also planning a follow-up blog and tutorial on how Cosign signs containers and stores signatures and attestations in OCI registries.

If you have any questions you can reach me @eddiezane!

Stay spooky…

Special thanks to Appu Goundan and Hayden Blauzvern.

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started