Image and Artifacts Management

The Nirmata CLI comes bundled with cosign that can be used for signing and verifying container images, Kubernetes manifests and any other artifacts. We ensure compatibility with the underlying signing tool.

Currently, Sigstore Cosign is the supported tool for signing. In future releases, support for Notation will also be added.

To learn more about how to generate and manage keys in a production environment, refer to the official Cosign documentation . In this guide, we will generate a local key pair for signing images and manifests.

Generate Keys

nctl images cosign generate-key-pair

This generates cosign.key and locally.

Image Signing and Verification

Sign container image using,

nctl images cosign sign --key cosign.key <image>

Use the key in the image verification policy. Refer to this sample policy .

Manifests signing and validation

Sign any manifest using,

nctl manifests cosign sign -f </path/to/manifest> -k cosign.key --tarball no -o signed-manifest.yaml

Use the key in the validate manifest integrity policy. Refer to this sample policy .