Skip to content

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#8

Merged
RII6 merged 2 commits into
mainfrom
feature/lab8
Jun 29, 2026
Merged

feat(lab8): cosign sign + SBOM/provenance attestations + blob signing#8
RII6 merged 2 commits into
mainfrom
feature/lab8

Conversation

@RII6

@RII6 RII6 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Goal

Implement cryptographic signatures and attestations (SBOM, Provenance) using Sigstore/Cosign to protect container images against Supply Chain Attacks.

Changes

  • Generated a Cosign keypair (verified that gitleaks correctly prevents committing the private key).
  • Signed the Juice Shop container image digest in a local OCI registry.
  • Attached cryptographic attestations to the image: the component list (CycloneDX SBOM from Lab 4) and a build report (SLSA Provenance).
  • Completed the bonus task for signing local arbitrary files (Blob signing).
  • Documented all verification results and analytical answers in submissions/lab8.md.

Testing

  • Successfully verified the signature of the original image using cosign verify.
  • Performed a tag-tampering simulation: proved that cosign verify correctly blocks the modified image (no signatures found).
  • Successfully extracted and verified the integrity of the attached SBOM via cosign verify-attestation.
  • Bonus: successfully verified the my-tool.tar.gz.bundle and simulated the Codecov 2021 attack, confirming cosign verify-blob instantly blocks execution when MALICIOUS PAYLOAD is appended.

Artifacts & Screenshots

  • Submission and analysis file: submissions/lab8.md
  • Public key for verification: labs/lab8/keys/cosign.pub

Checklist

  • Task 1 — Image signed + tamper demo (both shown)
  • Task 2 — SBOM + provenance attestations attached and verified
  • Bonus — Blob signed + verify-blob success + tamper failure

RII6 and others added 2 commits June 28, 2026 18:49
Translated sections from Russian to English for clarity and accessibility.
@RII6 RII6 merged commit 22c20f7 into main Jun 29, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant