Skip to content

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#8

Open
demonit4028 wants to merge 1 commit into
mainfrom
feature/lab8
Open

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#8
demonit4028 wants to merge 1 commit into
mainfrom
feature/lab8

Conversation

@demonit4028

Copy link
Copy Markdown
Owner

Goal

Sign the Juice Shop image with Cosign in a local registry, attach CycloneDX SBOM + SLSA provenance attestations, and demonstrate blob signing to mitigate the Codecov 2021 attack class.

Changes

  • submissions/lab8.md β€” full lab report with all outputs and analysis
  • labs/lab8/keys/cosign.pub β€” public key (private key gitignored)
  • labs/lab8/results/juice-shop-digest.txt β€” captured registry digest
  • labs/lab8/results/verify-original.json β€” cosign verify output (pass)
  • labs/lab8/results/verify-tampered.txt β€” cosign verify output (fail)
  • labs/lab8/results/sbom-from-attestation.json β€” SBOM extracted from attestation
  • labs/lab8/results/provenance-verify.json β€” provenance verification output
  • labs/lab8/results/my-tool.tar.gz β€” signed tarball (bonus)
  • labs/lab8/results/my-tool.tar.gz.bundle β€” blob signature bundle (bonus)

Testing

# Task 1: Sign + verify
cosign verify --key labs/lab8/keys/cosign.pub --insecure-ignore-tlog --allow-http-registry \
  localhost:5000/juice-shop@sha256:8c76bce948965bcb2ad33c24a659d58f307d679ff48ec253a3d29138329f3c0d
# PASS β€” signature verified against public key

# Task 1: Tamper demo
cosign verify --key labs/lab8/keys/cosign.pub --insecure-ignore-tlog --allow-http-registry \
  localhost:5000/juice-shop@sha256:6c2a9711b0a9f32b0239d9222eb1072309cf46c6431d319ae249186d811a987c
# FAIL β€” "no signatures found"

# Task 2: SBOM attestation verify
cosign verify-attestation --key labs/lab8/keys/cosign.pub --type cyclonedx \
  --insecure-ignore-tlog --allow-http-registry \
  localhost:5000/juice-shop@sha256:8c76bce948965bcb2ad33c24a659d58f307d679ff48ec253a3d29138329f3c0d
# PASS β€” 3069 components match Lab 4 SBOM

# Task 2: Provenance attestation verify
cosign verify-attestation --key labs/lab8/keys/cosign.pub --type slsaprovenance \
  --insecure-ignore-tlog --allow-http-registry \
  localhost:5000/juice-shop@sha256:8c76bce948965bcb2ad33c24a659d58f307d679ff48ec253a3d29138329f3c0d
# PASS β€” builder: https://localhost/lab8-student

# Bonus: Blob verify
cosign verify-blob --key cosign.pub --bundle my-tool.tar.gz.bundle \
  --insecure-ignore-tlog my-tool.tar.gz
# "Verified OK"

# Bonus: Blob tamper test
echo "MALICIOUS PAYLOAD" >> my-tool.tar.gz
cosign verify-blob --key cosign.pub --bundle my-tool.tar.gz.bundle \
  --insecure-ignore-tlog my-tool.tar.gz
# FAIL β€” "invalid signature"

Artifacts & Screenshots

  • submissions/lab8.md β€” full report with all outputs and analysis questions answered

Checklist

  • Title follows feat(labN): <topic> format
  • No secrets or large temp files committed
  • Submission file at submissions/lab8.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant