Google open sources cosign tool for verifying containers

May 11, 2021  By Pierluigi Paganini


Google has released a new open-source tool called cosign that could allow administrators to sign and verify the container images.

Google has released a new open-source tool called cosign that allows to sign, verify container images, it was developed to make signatures invisible infrastructure.

Cosign supports:

  • Hardware and KMS signing
  • Bring-your-own PKI
  • Our free OIDC PKI (Fulcio)
  • Built-in binary transparency and timestamping service (Rekor)

The tool was developed in collaboration with the Linux Foundation’s sigstore project. The IT giant used the tool to sign its Distroless images and the users could verify them using the cosign tool.

“Distroless” images only contain the user’s application and its runtime dependencies, they do not contain package managers, shells, or any other programs that are ordinarily present in a standard Linux distribution.

The Internet giant has integrated cosign into the distroless CI system.

“To start signing distroless we integrated cosign into the distroless CI system, which builds and pushes images via Cloud Build. Signing every distroless image was as easy as adding an additional Cloud Build step to the Cloud Build job responsible for building and pushing the images.” states Google. “This additional step uses the cosign container image and a key pair stored in GCP KMS to sign every distroless image. With this additional signing step, users can now verify that the distroless image they’re running was built in the correct CI environment.”

Kubernetes is already using the tool to verify images, it aims at establishing a consumable, introspectable, and secure supply chain for the project.

“By collaborating with the sigstore maintainers (who are fellow Kubernetes contributors) to integrate signing and transparency into our supply chain, we hope to be an exemplar for standards in the cloud native (and wider) tech industry, said Stephen Augustus, co-chair for Kubernetes SIG Release.” continues Google.

Google will integrate new additional sigstore technologies into distroless in the next months.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PLA Unit 61419)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

FBI and Australia ACSC agencies warn of ongoing Avaddon ransomware attacks

 The FBI and Australian Australian Cyber Security Centre (ACSC) warn of an ongoing Avaddon ransomware campaign targeting...