Skip to content

Lab 8 β€” Supply Chain Security: Cosign Sign + SBOM Attestation + Blob Signing#1426

Open
Nik-ari-ai wants to merge 1 commit into
inno-devops-labs:mainfrom
Nik-ari-ai:lab08
Open

Lab 8 β€” Supply Chain Security: Cosign Sign + SBOM Attestation + Blob Signing#1426
Nik-ari-ai wants to merge 1 commit into
inno-devops-labs:mainfrom
Nik-ari-ai:lab08

Conversation

@Nik-ari-ai

Copy link
Copy Markdown

Goal:

Sign the Juice Shop image with Cosign in a local registry, attach the CycloneDX SBOM from Lab 4 as an attestation, and (bonus) sign a tarball using cosign sign-blob to mitigate the Codecov 2021 attack class.

Changes

  • submissions/lab08.md β€” report
  • labs/lab8/keys/cosign.pub β€” public verification key

Testing

  • Image signed on digest sha256:cbdfc00de... in localhost:5000/juice-shop
  • cosign verify on original: PASS
  • cosign verify on tampered (alpine re-tagged as juice-shop:v20.0.0-tampered): FAIL with "no signatures found"
  • Sanity: original digest still verifies after tamper attempt
  • cosign attest --type cyclonedx: 3068 components round-trip identical to Lab 4 source
  • cosign attest --type slsaprovenance: verified, predicate decodes back to submitted JSON
  • cosign sign-blob + verify-blob on my-tool.tar.gz: PASS; tampered version FAILs with "invalid signature"

Artifacts & Screenshots

  • submissions/lab08.md
  • labs/lab8/keys/cosign.pub

Checklist

  • Task 1 β€” Image signed + tamper demo (both shown)
  • Task 2 β€” SBOM + provenance attestations attached and verified
  • Bonus β€” Blob signed + verify-blob success + tamper failure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant