The wonderful tweet of Civo, was the igniter for this "fast-food style" blog entry.
So the Question is...
Can I use cosign
on ttl.sh?
What is ttl.sh?
ttl.sh is an anonymous, expiring Docker container registry using the official Docker Registry image.
What is cosign
cosign
is all about container signing, verification and storage in an OCI registry.
Lets roll
ttl.sh
Using ttl.sh is quite easy: Just tag your image with ttl.sh, a UUID if you want to be extra sneaky, & time limit (i.e. :2h)
docker tag ghcr.io/dirien/minecraft-exporter:0.5.0-amd64 ttl.sh/minecraft-exporter:1h
Then push the image as usual:
docker push ttl.sh/minecraft-exporter:1h
The push refers to repository [ttl.sh/minecraft-exporter]
01ea7d5a809a: Pushed
bc276c40b172: Pushed
1h: digest: sha256:4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7 size: 739
Otherwise
cosign
We follow the instructions of cosign
cosign generate-key-pair
cosign sign -key cosign.key ttl.sh/minecraft-exporter:1h
Enter password for private key:
Pushing signature to: ttl.sh/minecraft-exporter:sha256-4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7.sig
After this we can verify our images, as part of our toolchain:
cosign verify -key cosign.pub ttl.sh/minecraft-exporter:1h
Verification for ttl.sh/minecraft-exporter:1h --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
{"critical":{"identity":{"docker-reference":"ttl.sh/minecraft-exporter"},"image":{"docker-manifest-digest":"sha256:4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7"},"type":"cosign container image signature"},"optional":null}