Digitally signing files and artifacts using Cosign

You can use digital signature key pairs created with the Cosign utility in Key Management Service. A special build of Cosign allows you to store the created key pair in KMS, sign files and artifacts with the pair's private key, and verify a digital signature using its public key.

Getting startedGetting started

1. Install a special Cosign build for your OS:

   • Linux amd64
   • MacOS Darwin amd64
   • MacOS Darwin arm64
   • Windows

2. Get an IAM token and save it to the $YC_IAM_TOKEN environment variable:

   Bash

   PowerShell

   export YC_IAM_TOKEN=$(yc iam create-token)
   

   $env:YC_IAM_TOKEN = $(yc iam create-token)
   

Sign a local fileSign a local file

1. Create a digital signature key pair and save it to KMS:

   cosign generate-key-pair \
       --kms yckms:///folder/<folder_ID>/keyname/<key_pair_name>
   

   Where:

   • <folder_ID>: ID of the folder where the new key pair will be saved.
   • <key_pair_name>: Name of the signature key pair you create.

   Result:

   client.go:183: Using IAM Token from 'YC_IAM_TOKEN' environment variable as credentials
   client.go:310: generated yckms KEY_ID: 'abj15qhhh98d********'
   Public key written to cosign.pub
   

   The utility will return the ID of the created signature key pair and save a public signature key to a local file. Save the key pair ID, you will need it in the next steps.

   You can always get the ID of your signature key pair in the management console or using the appropriate CLI command.

2. Sign a local file:

   cosign sign-blob \
       --key yckms:///<key_pair_ID> \
       --tlog-upload=false \
       <path_to_file>
   

   Where:

   • <key_pair_ID>: ID of the signature key pair obtained in the previous step.
   • <path_to_file>: Path to the local file you want to sign.

   Result:

   Using payload from: <path_to_file>
   client.go:183: Using IAM Token from 'YC_IAM_TOKEN' environment variable as credentials
   <digital_signature_value>
   

   Save the resulting digital signature value. You will need it for signature verification in the next step.

Verify the digital signatureVerify the digital signature

To verify the signature, run the following command:

cosign verify-blob \
    --key yckms:///<key_pair_ID> \
    --insecure-ignore-tlog \
    --signature "<digital_signature_value>" \
    <path_to_file>

Where:

• --key: Signature key pair ID obtained earlier.
• --signature: Digital signature value obtained in the previous step.
• <path_to_file>: Path to the local file whose signature you want to verify.

Result:

WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob.
client.go:183: Using IAM Token from 'YC_IAM_TOKEN' environment variable as credentials
Verified OK

See alsoSee also

• Signing and verifying Container Registry Docker images in Managed Service for Kubernetes.