home.social

#cosign — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cosign, aggregated by home.social.

  1. 1/2
    Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.

    Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.

    #OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore

  2. 1/2
    Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.

    Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.

    #OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore

  3. 1/2
    Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.

    Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.

    #OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore

  4. 1/2
    Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.

    Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.

    #OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore

  5. I don't suppose that trusting #sigstore to run a centralized CA and transparency logs just to issue short-lived certs for me to generate signatures is much more secure than #PGP signing using my own keys. I'm just increasing the attack surface...

    The whole Googlesque philosophy of "trust us; don't be evil" is contrary to my take on information security.

    But I'm also open to anyone convincing me otherwise.

    #cosign #rekor #flucio

  6. #SigStore rzekomo: ma wiele klientów i jest łatwe w użyciu.

    Rzeczywistość:

    #Cosign domyślnie używa (starego?) formatu podpisu, którego najwyraźnej klient Pythonowy w ogóle nie obsługuje. Trzeba podawać `--new-bundle-format`, żeby dostać podpisy zgodne z innymi klientami.

    Przy weryfikacji też trzeba podawać `--new-format`. W przeciwnym wypadku, otrzymamy zupełnie niejasny komunikat:

    Error: bundle does not contain cert for verification, please provide public key

    No i oczywiście znaleźć jakiekolwiek informacje jest kosmicznie trudno. Odkryłem, jak to się robi tylko dlatego, że kojarzyłem, że kiedyś na forum Pythona był na ten temat wątek, i ktoś rzucił przykładem, jak weryfikować wydania CPythona za pomocą tego wynalazku.

  7. #SigStore claim: it has multiple clients and it's easy to use.

    Reality:

    #Cosign defaults to using a bundle format that doesn't seem to be supported by SigStore-python at all. You have to explicitly pass `--new-bundle-format` to create compatible signatures.

    You also have to explicitly pass `--new-format` when verifying. Otherwise, Cosign will give you a completely confusing message:

    Error: bundle does not contain cert for verification, please provide public key

    And of course it's quite hard to find any information on this. I've realized it only because I recalled a SigStore-related thread on discuss.python.org, and a single example of using Cosign to verify CPython signatures was given there.

  8. Yeah, but then you'd run your own closed instance that wouldn’t be trusted by others and you’re back to square one of identifying which key is trusted. The system works best if everyone trusts Google, Microsoft and Github. I guess you can run your own instance in a closed corporate setting (like a custom CA) but it wouldn’t give any benefits for the wider ecosystem.

    That’s how I see it, happy to be corrected by someone more intimately associated with sigstore.

  9. Wondering whether users of (by ) and (slsa-verifier) would have opinions on how to best make use of these verification tools when downloading binaries for use in container images?

    I started a StackOverflow discussion here with more details, since I'm new to playing around with these toolchains:

    stackoverflow.com/beta/discuss

  10. Updated the rpm repo path for my container. Nice to see that we now have a nightly build as well ! If you are looking for a with a public build pipeline, signed with and auto released every sunday.

    Checkout github.com/chimbosonic/veilid-.

    Container images are uploaded to and .io

  11. @patric and #Wolfi apparently uses #Cosign Wooo! That's perfect, because I am actually working on a type of container registry :)

    It's still a glmmer in the postmans eye, but it will be spitting out containers - and signing is so important nowadays, especially when you read about security breaches like with #Polyfill

    Shout outs to #Cloudflare for just redirecting all that traffic to a safe #CDN. Credit where credit is due.

  12. @patric and #Wolfi apparently uses #Cosign Wooo! That's perfect, because I am actually working on a type of container registry :)

    It's still a glmmer in the postmans eye, but it will be spitting out containers - and signing is so important nowadays, especially when you read about security breaches like with #Polyfill

    Shout outs to #Cloudflare for just redirecting all that traffic to a safe #CDN. Credit where credit is due.

  13. @patric and #Wolfi apparently uses #Cosign Wooo! That's perfect, because I am actually working on a type of container registry :)

    It's still a glmmer in the postmans eye, but it will be spitting out containers - and signing is so important nowadays, especially when you read about security breaches like with #Polyfill

    Shout outs to #Cloudflare for just redirecting all that traffic to a safe #CDN. Credit where credit is due.

  14. #cosign and #crane in #opensuse will get shell completion subpackages soon. SRs sent...

  15. Signed container images with buildah, podman and cosign via GitHub Actions: tim.siosm.fr/blog/2023/12/20/s

    Explaining how I signed the Toolbx and Distrobox container images (github.com/toolbx-images/image) and the ones in my personal namespace on Quay.io (github.com/travier/quay-contai) using cosign.

    #GitHub #cosign #sigstore #podman

  16. “The show wasn’t enough. I need to kill David myself.”

    #tlou last episode summarized by one of my kids

    #cosign