In this document, you can learn how you can sign your train images (docker containers) that are pushed to the Harbor registry.
We use Cosign to sign the train images (docker containers) and we use the self-managed key option, instead of the keyless option while signing images. Once the image is signed, the signature will be uploaded to Harbor registry, where Harbor will automatically link the signature to the respective image.
cosign generate-key-pair
Enter password for private key:
Enter again:
Private key written to cosign.key
Public key written to cosign.pub
echo $HARBOR_REGISTRY_PASSWORD | cosign login $HARBOR_REGISTRY -u $HARBOR_REGISTRY_USER --password-stdin
COSIGN_PASSWORD environment variable with this password. It is advised to sign the digest instead of a tag, so for example $IMAGE_DIGEST can be something like my_repository.com/my_project/my_image@sha256:98c6b37...b60b29831cosign sign --key cosign.pub "$IMAGE_DIGEST"
You can verify the signature on an image by running:
cosign verify --key cosign.pub "$IMAGE_DIGEST"
Note that if the repository is private, you have to login to the registry with cosign before you can verify.
The steps to sign the images can be integrated with the CI/CD pipeline in your Train Depots so that every time a new train is published, it can be signed. You can go through the documentation here to see how you could achieve this.
Once you’ve integrated the Cosign, you could use your instance of Central Service to serve the public key to connected stations to enable them to verify image signatures. For this, you could store your public key in your vault instance. There is an REST GET API endpoint in CS which will read from the vault and serve the public key to requesting stations.