ttl.sh and cosign: Signing an anonymous & ephemeral Docker image registry.

ttl.sh and cosign: Signing an anonymous & ephemeral Docker image registry.

·

1 min read

The wonderful tweet of Civo, was the igniter for this "fast-food style" blog entry.

image.png

So the Question is...

Can I use cosign on ttl.sh?

What is ttl.sh?

ttl.sh is an anonymous, expiring Docker container registry using the official Docker Registry image.

What is cosign

cosign is all about container signing, verification and storage in an OCI registry.

Lets roll

ttl.sh

Using ttl.sh is quite easy: Just tag your image with ttl.sh, a UUID if you want to be extra sneaky, & time limit (i.e. :2h)

docker tag ghcr.io/dirien/minecraft-exporter:0.5.0-amd64 ttl.sh/minecraft-exporter:1h

Then push the image as usual:

docker push ttl.sh/minecraft-exporter:1h
The push refers to repository [ttl.sh/minecraft-exporter]
01ea7d5a809a: Pushed 
bc276c40b172: Pushed 
1h: digest: sha256:4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7 size: 739

image.png

Otherwise

image.png

cosign

We follow the instructions of cosign

cosign generate-key-pair

cosign sign -key cosign.key ttl.sh/minecraft-exporter:1h                                                                        
Enter password for private key: 
Pushing signature to: ttl.sh/minecraft-exporter:sha256-4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7.sig

After this we can verify our images, as part of our toolchain:

cosign verify -key cosign.pub ttl.sh/minecraft-exporter:1h                                                                             

Verification for ttl.sh/minecraft-exporter:1h --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"critical":{"identity":{"docker-reference":"ttl.sh/minecraft-exporter"},"image":{"docker-manifest-digest":"sha256:4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7"},"type":"cosign container image signature"},"optional":null}

Barack_Obama_drops_the_mic.gif