The Nirmata CLI comes bundled with cosign that can be used for signing and verifying container images, Kubernetes manifests and any other artifacts. We ensure compatibility with the underlying signing tool.
Currently, Sigstore Cosign is the supported tool for signing. In future releases, support for Notation will also be added.
To learn more about how to generate and manage keys in a production environment, refer to the official Cosign documentation . In this guide, we will generate a local key pair for signing images and manifests.
Generate Keys
nctl images cosign generate-key-pair
This generates cosign.key and cosign.pub locally.
Image Signing and Verification
Sign container image using,
nctl images cosign sign --key cosign.key <image>
Use the cosign.pub key in the image verification policy. Refer to this sample policy
.
Manifests signing and validation
Sign any manifest using,
nctl manifests cosign sign -f </path/to/manifest> -k cosign.key --tarball no -o signed-manifest.yaml
Use the cosign.pub key in the validate manifest integrity policy. Refer to this sample policy
.