# ttl.sh and cosign: Signing an anonymous & ephemeral Docker image registry.

The wonderful tweet of [Civo](https://civo.com/), was the igniter for this "*fast-food style*" blog entry.

%[https://twitter.com/CivoCloud/status/1434445206502486018?s=20]

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1630852971616/I7e_OXjp7.png)

# So the Question is...
Can I use `cosign` on ttl.sh?

# What is ttl.sh?
[ttl.sh](https://ttl.sh/) is an anonymous, expiring Docker container registry using the official Docker Registry image.

# What is cosign
`cosign` is all about container signing, verification and storage in an OCI registry.

# Lets roll

## ttl.sh
Using ttl.sh is quite easy: Just tag your image with ttl.sh, a UUID if you want to be extra sneaky, & time limit (i.e. :2h)

```bash
docker tag ghcr.io/dirien/minecraft-exporter:0.5.0-amd64 ttl.sh/minecraft-exporter:1h
```
Then push the image as usual:

```bash
docker push ttl.sh/minecraft-exporter:1h
The push refers to repository [ttl.sh/minecraft-exporter]
01ea7d5a809a: Pushed 
bc276c40b172: Pushed 
1h: digest: sha256:4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7 size: 739
```
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1630852611426/W0Qe94LZb.png)

Otherwise

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1630852858202/bZDkCc_ci.png)

## cosign

We follow the instructions of [cosign](https://github.com/sigstore/cosign#generate-a-keypair)

```shell
cosign generate-key-pair

cosign sign -key cosign.key ttl.sh/minecraft-exporter:1h                                                                        
Enter password for private key: 
Pushing signature to: ttl.sh/minecraft-exporter:sha256-4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7.sig
```

After this we can verify our images, as part of our toolchain:

```bash
cosign verify -key cosign.pub ttl.sh/minecraft-exporter:1h                                                                             

Verification for ttl.sh/minecraft-exporter:1h --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"critical":{"identity":{"docker-reference":"ttl.sh/minecraft-exporter"},"image":{"docker-manifest-digest":"sha256:4d19d2c73fb4316ca0068175f3b5c07120095088bfda9bab1ede12b862a0b1d7"},"type":"cosign container image signature"},"optional":null}
```

![Barack_Obama_drops_the_mic.gif](https://cdn.hashnode.com/res/hashnode/image/upload/v1630851928253/4AL2eXN1R.gif)
