Skip to content

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#9

Open
StefFashka wants to merge 1 commit into
mainfrom
feature/lab8
Open

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#9
StefFashka wants to merge 1 commit into
mainfrom
feature/lab8

Conversation

@StefFashka

Copy link
Copy Markdown
Owner

Goal

Sign OWASP Juice Shop v20.0.0 in a local OCI registry with Cosign, attach SBOM and provenance attestations, and complete blob signing verification for the Lab 8 bonus task.

Changes

  • submissions/lab8.md — added the Lab 8 submission with signing evidence, tamper demo, SBOM/provenance attestation results, and blob signing mitigation notes.
  • labs/lab8/keys/cosign.pub — added the public Cosign key used to verify image signatures and attestations.

Testing

docker ps --filter name=lab8-registry --format 'table {{.Names}}\t{{.Status}}\t{{.Ports}}'
# Expected: lab8-registry Up ... 127.0.0.1:5000->5000/tcp
cosign verify --key labs/lab8/keys/cosign.pub --insecure-ignore-tlog --allow-http-registry `
  localhost:5000/juice-shop@sha256:28870b9d2bec49e605d6ebbf4b22ed1ec1ca0a72347ef19217bbbb21ea44e3fe
# Expected: signature verification succeeds
cosign verify --key labs/lab8/keys/cosign.pub --insecure-ignore-tlog --allow-http-registry `
  localhost:5000/juice-shop@sha256:c64c687cbea9300178b30c95835354e34c4e4febc4badfe27102879de0483b5e
# Expected: fails with "no signatures found"
cosign verify-attestation --key labs/lab8/keys/cosign.pub --insecure-ignore-tlog --type cyclonedx --allow-http-registry `
  localhost:5000/juice-shop@sha256:28870b9d2bec49e605d6ebbf4b22ed1ec1ca0a72347ef19217bbbb21ea44e3fe
# Expected: SBOM attestation verification succeeds
cosign verify-blob --key cosign.pub --bundle my-tool.tar.gz.bundle --insecure-ignore-tlog my-tool.tar.gz
# Expected: Verified OK

Artifacts & Screenshots

Submission report: submissions/lab8.md
Public Cosign key: labs/lab8/keys/cosign.pub

Required checklist:

  • Task 1 — Image signed + tamper demo (both shown)
  • Task 2 — SBOM + provenance attestations attached and verified
  • Bonus — Blob signed + verify-blob success + tamper failure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant