Digitally signing files and artifacts using Cosign
You can use digital signature key pairs created with the Cosign
Getting started
-
Install a special Cosign build for your OS:
-
Get an IAM token and save it to the
$YC_IAM_TOKEN
environment variable:BashPowerShellexport YC_IAM_TOKEN=$(yc iam create-token)
$env:YC_IAM_TOKEN = $(yc iam create-token)
Sign a local file
-
Create a digital signature key pair and save it to KMS:
cosign generate-key-pair \ --kms yckms:///folder/<folder_ID>/keyname/<key_pair_name>
Where:
<folder_ID>
: ID of the folder where the new key pair will be saved.<key_pair_name>
: Name of the signature key pair you create.
Result:
client.go:183: Using IAM Token from 'YC_IAM_TOKEN' environment variable as credentials client.go:310: generated yckms KEY_ID: 'abj15qhhh98d********' Public key written to cosign.pub
The utility will return the ID of the created signature key pair and save a public signature key to a local file. Save the key pair ID, you will need it in the next steps.
You can always get the ID of your signature key pair in the management console
or using the appropriate CLI command. -
Sign a local file:
cosign sign-blob \ --key yckms:///<key_pair_ID> \ --tlog-upload=false \ <path_to_file>
Where:
<key_pair_ID>
: ID of the signature key pair obtained in the previous step.<path_to_file>
: Path to the local file you want to sign.
Result:
Using payload from: <path_to_file> client.go:183: Using IAM Token from 'YC_IAM_TOKEN' environment variable as credentials <digital_signature_value>
Save the resulting digital signature value. You will need it for signature verification in the next step.
Verify the digital signature
To verify the signature, run the following command:
cosign verify-blob \
--key yckms:///<key_pair_ID> \
--insecure-ignore-tlog \
--signature "<digital_signature_value>" \
<path_to_file>
Where:
--key
: Signature key pair ID obtained earlier.--signature
: Digital signature value obtained in the previous step.<path_to_file>
: Path to the local file whose signature you want to verify.
Result:
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob.
client.go:183: Using IAM Token from 'YC_IAM_TOKEN' environment variable as credentials
Verified OK