#cosign — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #cosign, aggregated by home.social.
-
1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.
#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore
-
1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.
#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore
-
1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.
#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore
-
1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.
#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore
-
I don't suppose that trusting #sigstore to run a centralized CA and transparency logs just to issue short-lived certs for me to generate signatures is much more secure than #PGP signing using my own keys. I'm just increasing the attack surface...
The whole Googlesque philosophy of "trust us; don't be evil" is contrary to my take on information security.
But I'm also open to anyone convincing me otherwise.
-
#SigStore rzekomo: ma wiele klientów i jest łatwe w użyciu.
Rzeczywistość:
#Cosign domyślnie używa (starego?) formatu podpisu, którego najwyraźnej klient Pythonowy w ogóle nie obsługuje. Trzeba podawać `--new-bundle-format`, żeby dostać podpisy zgodne z innymi klientami.
Przy weryfikacji też trzeba podawać `--new-format`. W przeciwnym wypadku, otrzymamy zupełnie niejasny komunikat:
Error: bundle does not contain cert for verification, please provide public key
No i oczywiście znaleźć jakiekolwiek informacje jest kosmicznie trudno. Odkryłem, jak to się robi tylko dlatego, że kojarzyłem, że kiedyś na forum Pythona był na ten temat wątek, i ktoś rzucił przykładem, jak weryfikować wydania CPythona za pomocą tego wynalazku.
-
#SigStore claim: it has multiple clients and it's easy to use.
Reality:
#Cosign defaults to using a bundle format that doesn't seem to be supported by SigStore-python at all. You have to explicitly pass `--new-bundle-format` to create compatible signatures.
You also have to explicitly pass `--new-format` when verifying. Otherwise, Cosign will give you a completely confusing message:
Error: bundle does not contain cert for verification, please provide public key
And of course it's quite hard to find any information on this. I've realized it only because I recalled a SigStore-related thread on discuss.python.org, and a single example of using Cosign to verify CPython signatures was given there.
-
We have Sigstore `cosign` tool in Debian's NEW queue! Please help test #sigstore #cosign https://lists.debian.org/debian-go/2024/12/msg00005.html
-
Yeah, but then you'd run your own closed instance that wouldn’t be trusted by others and you’re back to square one of identifying which key is trusted. The system works best if everyone trusts Google, Microsoft and Github. I guess you can run your own instance in a closed corporate setting (like a custom CA) but it wouldn’t give any benefits for the wider ecosystem.
That’s how I see it, happy to be corrected by someone more intimately associated with sigstore.
-
-
Wondering whether users of #cosign (by #sigstore) and #slsa (slsa-verifier) would have opinions on how to best make use of these verification tools when downloading binaries for use in container images?
I started a StackOverflow discussion here with more details, since I'm new to playing around with these toolchains:
-
Updated the #veilid rpm repo path for my container. Nice to see that we now have a nightly build as well ! If you are looking for a #veilid #container with a public build pipeline, signed with #cosign and auto released every sunday.
Checkout https://github.com/chimbosonic/veilid-container.
Container images are uploaded to #dockerhub and #quay.io
-
@patric and #Wolfi apparently uses #Cosign Wooo! That's perfect, because I am actually working on a type of container registry :)
It's still a glmmer in the postmans eye, but it will be spitting out containers - and signing is so important nowadays, especially when you read about security breaches like with #Polyfill
Shout outs to #Cloudflare for just redirecting all that traffic to a safe #CDN. Credit where credit is due.
-
@patric and #Wolfi apparently uses #Cosign Wooo! That's perfect, because I am actually working on a type of container registry :)
It's still a glmmer in the postmans eye, but it will be spitting out containers - and signing is so important nowadays, especially when you read about security breaches like with #Polyfill
Shout outs to #Cloudflare for just redirecting all that traffic to a safe #CDN. Credit where credit is due.
-
@patric and #Wolfi apparently uses #Cosign Wooo! That's perfect, because I am actually working on a type of container registry :)
It's still a glmmer in the postmans eye, but it will be spitting out containers - and signing is so important nowadays, especially when you read about security breaches like with #Polyfill
Shout outs to #Cloudflare for just redirecting all that traffic to a safe #CDN. Credit where credit is due.
-
-
Signed container images with buildah, podman and cosign via GitHub Actions: https://tim.siosm.fr/blog/2023/12/20/signed-container-images/
Explaining how I signed the Toolbx and Distrobox container images (https://github.com/toolbx-images/images) and the ones in my personal namespace on Quay.io (https://github.com/travier/quay-containerfiles) using cosign.
-
Securing CICD pipelines with StackRox and Sigstore https://www.opensourcerers.org/2023/10/09/securing-cicd-pipelines-with-stackrox-and-sigstore/
#cosign #sigstore #tekton #Kubernetes #cicd -
“The show wasn’t enough. I need to kill David myself.”
#tlou last episode summarized by one of my kids
-
Free software signing service now available from Sigstore https://www.fosslife.org/sigstore-announces-general-availability-software-signing-service #Sigstore #SoftwareDevelopment #security #tools #OpenSource #FOSS #Fulcio #Cosign #Rekor #DigitalSigning #verification
-
Free software signing service now available from Sigstore https://www.fosslife.org/sigstore-announces-general-availability-software-signing-service #Sigstore #SoftwareDevelopment #security #tools #OpenSource #FOSS #Fulcio #Cosign #Rekor #DigitalSigning #verification
-
Free software signing service now available from Sigstore https://www.fosslife.org/sigstore-announces-general-availability-software-signing-service #Sigstore #SoftwareDevelopment #security #tools #OpenSource #FOSS #Fulcio #Cosign #Rekor #DigitalSigning #verification