Google has released a new open-source tool called cosign that allows to sign, verify container images, it was developed to make signatures invisible infrastructure.
The tool was developed in collaboration with the Linux Foundation’s sigstore project. The IT giant used the tool to sign its Distroless images and the users could verify them using the cosign tool.
“Distroless” images only contain the user’s application and its runtime dependencies, they do not contain package managers, shells, or any other programs that are ordinarily present in a standard Linux distribution.
The Internet giant has integrated cosign into the distroless CI system.
“To start signing distroless we integrated cosign into the distroless CI system, which builds and pushes images via Cloud Build. Signing every distroless image was as easy as adding an additional Cloud Build step to the Cloud Build job responsible for building and pushing the images.” states Google. “This additional step uses the cosign container image and a key pair stored in GCP KMS to sign every distroless image. With this additional signing step, users can now verify that the distroless image they’re running was built in the correct CI environment.”
Kubernetes is already using the tool to verify images, it aims at establishing a consumable, introspectable, and secure supply chain for the project.
“By collaborating with the sigstore maintainers (who are fellow Kubernetes contributors) to integrate signing and transparency into our supply chain, we hope to be an exemplar for standards in the cloud native (and wider) tech industry, said Stephen Augustus, co-chair for Kubernetes SIG Release.” continues Google.
Google will integrate new additional sigstore technologies into distroless in the next months.
(SecurityAffairs – hacking, PLA Unit 61419)