Skip to content

feat(lab8): implement image signing, attestations and blob verification with Cosign#1424

Open
d13-l1t3 wants to merge 20 commits into
inno-devops-labs:mainfrom
d13-l1t3:feature/lab8
Open

feat(lab8): implement image signing, attestations and blob verification with Cosign#1424
d13-l1t3 wants to merge 20 commits into
inno-devops-labs:mainfrom
d13-l1t3:feature/lab8

Conversation

@d13-l1t3

@d13-l1t3 d13-l1t3 commented Jul 4, 2026

Copy link
Copy Markdown

Goal

To implement and validate software supply chain security practices using Sigstore cosign. This includes signing Docker images to prevent tampering, attaching SBOM and SLSA Provenance attestations to verify the build process, and signing arbitrary blobs to mitigate attacks similar to the Codecov 2021 incident.

Changes

  • Generated a local Cosign key pair.
  • Pushed and signed the juice-shop:v20.0.0 image in a local registry (localhost:5000).
  • Attached a CycloneDX SBOM attestation (cosign attest --type cyclonedx).
  • Created and attached a SLSA Provenance attestation (cosign attest --type slsaprovenance).
  • Created a dummy installer script, packaged it into a tar.gz archive, and signed it using cosign sign-blob.
  • Completed the lab8.md report with terminal outputs and explanations regarding digest binding importance and the Codecov 2021 mitigation.

Testing

  • Task 1 (Image Signing): Successfully verified the original signed image. Conducted a tamper demo by re-tagging an alpine:3.20 image as juice-shop; cosign verify correctly failed and rejected the tampered image.
  • Task 2 (Attestations): Extracted the SBOM payload from the registry using cosign verify-attestation and confirmed it perfectly matches the original Lab 4 SBOM component count. Successfully verified the SLSA Provenance attestation.
  • Bonus (Blob Signing): Verified the original .tar.gz bundle. Appended a malicious payload to the archive, which was successfully detected and blocked by cosign verify-blob with an ASN.1 signature validation error.

Artifacts & Screenshots

  • Updated lab8.md report containing all required execution logs and theoretical answers.
  • Locally generated outputs:
    • verify-original.json
    • verify-tampered.txt
    • sbom-from-attestation.json
    • provenance-verify.json
    • blob-tamper.txt

Checklist

  • Title is clear (feat(labN): style)
  • No secrets/large temp files committed
  • Submission file at lab8.md exists
  • Task 1 — Image signed + tamper demo (both shown)
  • Task 2 — SBOM + provenance attestations attached and verified
  • Bonus — Blob signed + verify-blob success + tamper failure

d13-l1t3 added 20 commits June 12, 2026 01:34
feat(lab9): falco custom rules + conftest hardening policies
feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready att…
feat(lab5): ZAP baseline + auth + Semgrep + correlation
feat(lab7): trivy + PSS restricted + conftest gate
feat(lab6): Checkov + KICS scans + custom policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant