10. Distributing Public Key Signed by trusted CA - SMART2016/containerization GitHub Wiki
If you sign the container image with a trusted Certificate Authority (CA) (e.g., Let's Encrypt, Sigstore Fulcio, or an enterprise CA), then the public key would already be trusted in the container, assuming the root CA cert is installed. Here's why and how it works:
1️⃣ How Trusted CAs Work for Image Signing
When You Sign an Image with a Trusted CA:
- You use a trusted CA (e.g., Sigstore Fulcio, Let's Encrypt, or an internal CA) to issue a certificate for your signing key.
- The CA binds your identity (email, GitHub Actions, etc.) to your public key in a certificate.
- Your container signature is now verifiable using the CA’s root certificate.
When the Container Runs:
- If the container already has the root CA certificate, it can verify the signature using the CA’s public key.
- No need to manually install
cosign.pub—the CA already provides trust.
✅ This is the most secure way to sign images without distributing public keys manually.
2️⃣ Why This Approach Works
| Scenario | What Happens? |
|---|---|
| Self-signed key | Must distribute cosign.pub manually to verify images. |
| Signed by a Trusted CA | Public key verification works automatically if the CA root is installed. |
If the root CA is already included in the container, then:
✅ The public key is implicitly trusted (since it’s part of the CA certificate chain).
✅ No need to distribute keys manually.
3️⃣ Example: Signing an Image with Sigstore Fulcio (Trusted CA)
Instead of self-signing, use a trusted CA (like Fulcio):
Step 1: Install Cosign
curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
chmod +x cosign-linux-amd64
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
Step 2: Sign the Image with a Trusted CA (Fulcio)
cosign sign --oidc-issuer=https://oauth2.sigstore.dev/auth --fulcio-url=https://fulcio.sigstore.dev myregistry.com/my-image:latest
🚀 This signs the image with a certificate issued by Fulcio.
Step 3: Verify the Image (No Public Key Required!)
cosign verify myregistry.com/my-image:latest [email protected] --certificate-oidc-issuer=https://oauth2.sigstore.dev/auth
✅ Since Fulcio’s root CA is already trusted, the public key is automatically verified.
4️⃣ Benefits of This Approach
✅ No need to distribute public keys manually.
✅ Works out of the box with root CAs in the container.
✅ Secure and widely accepted (Sigstore, Let’s Encrypt, internal CAs).
✅ Easier to scale than self-signing.
5️⃣ Conclusion: Can You Use a Trusted CA for Image Signing?
Yes! If you sign with a trusted CA, and the container already has the CA root certificate installed, then:
✅ The public key is already trusted.
✅ No need to manually install public keys.
✅ Verification happens automatically.