1. How to self sign a container ? - SMART2016/containerization GitHub Wiki

Self-signing a container involves creating a cryptographic signature using your own keys, ensuring authenticity and integrity. Here’s a straightforward way to do this using common tools like cosign, which is widely adopted for container signing:

Step-by-step guide to self-sign a container image using cosign:

1. Install cosign

First, download and install the latest version of cosign from the official repository:

# Linux/macOS
curl -LO "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
chmod +x cosign-linux-amd64
sudo mv cosign-linux-amd64 /usr/local/bin/cosign

Verify the installation:

cosign version

2. Generate a key pair (for self-signing)

Use cosign generate-key-pair to create public/private keys:

cosign generate-key-pair

This generates two files in your current directory:

  • cosign.key (private key, protect this securely)
  • cosign.pub (public key, used for verification)

Important: Keep your cosign.key secure and private. It should not be exposed publicly or shared.

3. Sign your container image

First, ensure your image is pushed to your registry. For example:

docker tag my-image:latest myregistry.example.com/my-image:latest
docker push myregistry.example.com/my-image:latest

Now, sign the pushed container image:

cosign sign --key cosign.key myregistry.example.com/my-image:latest

This command attaches your cryptographic signature to the image.

4. Verify the signed image

To verify the signature, you (or anyone else) can run:

cosign verify --key cosign.pub myregistry.example.com/my-image:latest

If verification is successful, you’ll see details about the signature.

5. Distributing public keys

  • Provide your public key (cosign.pub) to anyone who needs to verify your images.
  • The public key can be freely shared, and it's common to publish it publicly or distribute it via a secure key management solution.

6. Alternative tools for signing:

  • Docker Content Trust (Notary v1) — Integrated into Docker, but considered less straightforward than cosign.
  • Notary v2 (experimental, still evolving standard).
  • Sigstore tooling (cosign, Fulcio, Rekor) — Currently the easiest and most widely recommended approach.

7. Recommended best practices:

  • Use secure storage for your private key (cosign.key).
  • Automate signing processes through CI/CD.
  • Consider key rotation regularly.

That's the simplest and most effective way to self-sign your container images.