/cosign-orb

A simple CircleCI orb used to install Cosign and sign container images

Primary LanguageShellMIT LicenseMIT

Cosign Orb

CircleCI Cosign Orb

An orb for simplifying Cosign installation and use within CircleCI.

CircleCI Build Status CircleCI Orb Version GitHub License CircleCI Community

This is an unofficial Cosign orb for installing Cosign in your CircleCI pipeline. Use it to sign container images and verify signatures.

This orb is primarily intended for use by private organizations at this time. Notice that the convenience commands provided in the initial version of this orb don't attempt to use keyless signing, upload to transparency logs, etc. They assume a simple setup with a public/private key pair stored as base64 encoded secrets within a CircleCI context. If advanced features are needed, you can use this orb for installation only and then run the cosign binary with your own arguments. Contributions are welcome!

Features

Secure By Design

  • Least Privilege: Installs to a user-owned directory by default, with no sudo usage anywhere in this orb.
  • Integrity: Checksum validation of all downloaded binaries using SHA-512.
  • Provenance: Installs directly from Cosign's official releases page on GitHub. No third-party websites, domains, or proxies are used.
  • Confidentiality: All secrets and environment variables are handled in accordance with CircleCI's security recommendations and best practices.
  • Privacy: No usage data of any kind is collected or shipped back to the orb developer.

Info for security teams:

  • Required external access to allow, if running a locked down, self-hosted CircleCI pipeline on-prem:
    • github.com: For download and installation of the Cosign tool using HTTPS.

Usage

Installation

Use the cosign-orb to handle installation of Cosign within your CircleCI pipeline without needing to create a custom base image. After installation, you can then use the cosign command anywhere within your job. Caching is supported if you want to prevent re-downloading Cosign on successive runs of your pipeline, though the download and installation are normally extremely fast.

version: 2.1

orbs:
  cosign: juburr/cosign-orb@0.6.1

parameters:
  cimg_base_version:
    type: string
    default: "current-22.04"
  cosign_version:
    type: string
    default: "2.2.4"

jobs:
  sign_container:
    docker:
      - image: cimg/base:<< pipeline.parameters.cimg_base_version >>
    steps:
      - checkout
      - cosign/install:
          caching: true
          verify_checksums: strict
          version: << pipeline.parameters.cosign_version >>
      - run:
          name: Run Custom Cosign Commands
          command: |
            # Use the cosign binary however you'd like here...
            cosign version