and cosign: Signing an anonymous & ephemeral Docker image registry. and cosign: Signing an anonymous & ephemeral Docker image registry.


1 min read

The wonderful tweet of Civo, was the igniter for this "fast-food style" blog entry.


So the Question is...

Can I use cosign on

What is is an anonymous, expiring Docker container registry using the official Docker Registry image.

What is cosign

cosign is all about container signing, verification and storage in an OCI registry.

Lets roll

Using is quite easy: Just tag your image with, a UUID if you want to be extra sneaky, & time limit (i.e. :2h)

docker tag

Then push the image as usual:

docker push
The push refers to repository []
01ea7d5a809a: Pushed 
bc276c40b172: Pushed 
1h: digest: sha256:4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7 size: 739





We follow the instructions of cosign

cosign generate-key-pair

cosign sign -key cosign.key                                                                        
Enter password for private key: 
Pushing signature to:

After this we can verify our images, as part of our toolchain:

cosign verify -key                                                                             

Verification for --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7"},"type":"cosign container image signature"},"optional":null}