تخطَّ إلى المحتوى
1337skills 1337skills - أوراق الغش

Enable experimental features (keyless signing)

منصةأمر
Ubuntu/Debianwget https://github.com/sigstore/cosign/releases/latest/download/cosign_amd64.deb && sudo dpkg -i cosign_amd64.deb
RHEL/Fedora/CentOSwget https://github.com/sigstore/cosign/releases/latest/download/cosign-amd64.rpm && sudo rpm -ivh cosign-amd64.rpm
macOS (Homebrew)brew install cosign
macOS (Binary)curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-darwin-amd64 && sudo mv cosign-darwin-amd64 /usr/local/bin/cosign && sudo chmod +x /usr/local/bin/cosign
macOS (Apple Silicon)curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-darwin-arm64 && sudo mv cosign-darwin-arm64 /usr/local/bin/cosign && sudo chmod +x /usr/local/bin/cosign
Windows (Scoop)scoop install cosign
Windows (Chocolatey)choco install cosign
Windows (winget)winget install sigstore.cosign
Linux (Generic Binary)curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 && sudo mv cosign-linux-amd64 /usr/local/bin/cosign && sudo chmod +x /usr/local/bin/cosign
Arch Linuxyay -S cosign
Containerdocker run --rm gcr.io/projectsigstore/cosign:latest version
Verify Installationcosign version
أمروصف
cosign versionعرض معلومات إصدار cosign
cosign helpاعرض جميع الأوامر والخيارات المتاحة
cosign generate-key-pairقم بإنشاء زوج مفاتيح جديد (cosign.key و cosign.pub)
cosign generate-key-pair --output-key-prefix mykeyإنشاء زوج مفاتيح مع بادئة مخصصة
cosign sign --key cosign.key IMAGE_URIقم بتوقيع صورة الحاوية باستخدام المفتاح الخاص
cosign sign IMAGE_URIتوقيع الصورة باستخدام الوضع بدون مفتاح (OIDC)
cosign verify --key cosign.pub IMAGE_URIتحقق من توقيع الصورة باستخدام المفتاح العام
cosign verify IMAGE_URIتحقق من التوقيع بدون مفتاح
cosign sign --key cosign.key -a key=value IMAGE_URIقم بتوقيع الصورة بتعليقات توضيحية مخصصة
cosign verify --key cosign.pub -a key=value IMAGE_URIتحقق من التوقيع وافحص التعليقات التوضيحية
cosign triangulate IMAGE_URIحدد موقع التوقيع للصورة
cosign download signature IMAGE_URIقم بتنزيل التوقيع للصورة
cosign download attestation IMAGE_URIقم بتنزيل التصديقات لصورة
cosign copy SOURCE_IMAGE DEST_IMAGEنسخ الصورة مع التوقيعات إلى موقع جديد
cosign sign --key cosign.key IMAGE1 IMAGE2 IMAGE3قم بتوقيع عدة صور في وقت واحد
cosign verify --key cosign.pub IMAGE_URI --output jsonقم بإخراج نتائج التحقق كـ JSON
cosign sign --key cosign.key gcr.io/project/image@sha256:abc123...قم بتوقيع تجزئة صورة محددة
cosign public-key --key cosign.keyاستخراج المفتاح العام من المفتاح الخاص
cosign initializeقم بتهيئة cosign مع جذر الثقة
cosign tree IMAGE_URIعرض شجرة التوقيع والتصديق للصورة
أمروصف
cosign generate-key-pair --kms gcpkms://projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEYإنشاء زوج مفاتيح في Google Cloud KMS
cosign generate-key-pair --kms awskms://arn:aws:kms:region:account:key/key-idإنشاء زوج مفاتيح في AWS KMS
cosign generate-key-pair --kms azurekms://vault.vault.azure.net/keys/keyname/versionإنشاء زوج مفاتيح في Azure Key Vault
cosign generate-key-pair --kms hashivault://transit/keys/cosignإنشاء زوج مفاتيح في HashiCorp Vault
cosign attest --key cosign.key --predicate predicate.json IMAGE_URIإرفاق التصديق بالصورة
cosign attest --key cosign.key --type slsaprovenance --predicate provenance.json IMAGE_URIإرفاق شهادة إثبات SLSA
cosign attest --key cosign.key --type vuln --predicate scan-results.json IMAGE_URIإرفاق شهادة مسح نقاط الضعف
cosign attest --key cosign.key --type spdx --predicate sbom.spdx.json IMAGE_URIإرفاق شهادة SBOM
cosign verify-attestation --key cosign.pub IMAGE_URIتحقق من التصديقات على الصورة
cosign verify-attestation --key cosign.pub --type slsaprovenance IMAGE_URIتحقق من نوع المصادقة المحدد
cosign verify-attestation --key cosign.pub --policy policy.cue IMAGE_URIتحقق من الشهادة مقابل سياسة CUE
cosign sign-blob --key cosign.key --output-signature file.sig file.txtتوقيع ملف عشوائي (غير حاوية)
cosign verify-blob --key cosign.pub --signature file.sig file.txtتحقق من توقيع blob
cosign sign --key cosign.key --timestamp-server-url http://timestamp.server IMAGE_URIالتوقيع مع طابع زمني RFC3161
cosign verify --certificate-identity user@example.com --certificate-oidc-issuer https://accounts.google.com IMAGE_URIالتحقق من التوقيع بدون مفتاح مع الهوية
cosign verify --key cosign.pub --rekor-url https://rekor.sigstore.dev IMAGE_URIتحقق من سجل Rekor الشفاف المخصص
cosign verify --key cosign.pub --insecure-ignore-tlog IMAGE_URIتحقق بدون التحقق من سجل الشفافية
cosign copy --platform linux/amd64 SOURCE_IMAGE DEST_IMAGEنسخ الصورة للمنصة المحددة
cosign copy --sig-only SOURCE_IMAGE DEST_IMAGEانسخ التواقيع فقط (وليس الصورة)
cosign manifest verify --key cosign.pub IMAGE_URIتحقق من توقيع مانيفست الصورة
cosign upload blob --signature file.sig --payload file.txtقم بتحميل التوقيع إلى سجل Rekor الشفاف
cosign sign --key cosign.key -r gcr.io/myproject/myimageقم بالتوقيع على جميع العلامات بشكل متكرر
cosign verify --key cosign.pub --certificate-chain chain.pem IMAGE_URIالتحقق باستخدام سلسلة الشهادات
cosign attach signature --signature sig.json IMAGE_URIقم بإرفاق التوقيع يدويًا على الصورة
cosign attach attestation --attestation att.json IMAGE_URIقم يدويًا بإرفاق التصديق بالصورة
# Enable experimental features (keyless signing)
export COSIGN_EXPERIMENTAL=1

# Set custom Rekor transparency log URL
export REKOR_URL=https://rekor.sigstore.dev

# Set custom Fulcio certificate authority URL
export FULCIO_URL=https://fulcio.sigstore.dev

# Set custom OIDC issuer for keyless signing
export COSIGN_OIDC_ISSUER=https://oauth2.sigstore.dev/auth

# Set custom OIDC client ID
export COSIGN_OIDC_CLIENT_ID=sigstore

# Set Docker registry credentials
export COSIGN_REPOSITORY=registry.example.com/signatures

# Set password for private key (CI/CD use)
export COSIGN_PASSWORD=your-password-here

# Skip TUF root verification (not recommended for production)
export COSIGN_EXPERIMENTAL_SKIP_TUF=1

# Set custom Docker config location
export DOCKER_CONFIG=/path/to/.docker
```## الاستخدام المتقدم
```cue
// policy.cue - Example attestation policy
predicateType: "https://slsa.dev/provenance/v0.2"

predicate: {
  buildType: "https://cloudbuild.googleapis.com/CloudBuildYaml@v1"
  builder: id: =~"^https://cloudbuild.googleapis.com/"
  
  invocation: {
    configSource: {
      repository: =~"^https://github.com/myorg/"
    }
  }
}
```## الإعدادات
```cue
// vuln-policy.cue - Require no critical vulnerabilities
predicateType: "https://cosign.sigstore.dev/attestation/vuln/v1"

predicate: {
  scanner: {
    name: "trivy"
  }
  
  metadata: {
    scanFinishedOn: string
  }
  
  // No critical vulnerabilities allowed
  scanner: result: {
    criticalCount: 0
  }
}
```### المتغيرات البيئية
```yaml
# .github/workflows/sign.yml
name: Sign Container Image
on: [push]

permissions:
  contents: read
  id-token: write  # Required for keyless signing
  packages: write

jobs:
  sign:
    runs-on: ubuntu-latest
    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3
        
      - name: Login to Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
          
      - name: Build Image
        run: docker build -t ghcr.io/${{ github.repository }}:latest .
        
      - name: Push Image
        run: docker push ghcr.io/${{ github.repository }}:latest
        
      - name: Sign Image (Keyless)
        run: |
          cosign sign --yes ghcr.io/${{ github.repository }}:latest
# Generate key pair (will prompt for password)
cosign generate-key-pair

# Build your container image
docker build -t myregistry.io/myapp:v1.0 .

# Push image to registry
docker push myregistry.io/myapp:v1.0

# Sign the image
cosign sign --key cosign.key myregistry.io/myapp:v1.0

# Verify the signature
cosign verify --key cosign.pub myregistry.io/myapp:v1.0

# Verify and extract payload
cosign verify --key cosign.pub myregistry.io/myapp:v1.0 | jq .
```### مثال على ملف سياسة CUE
```bash
# Enable experimental mode for keyless signing
export COSIGN_EXPERIMENTAL=1

# Sign image (will open browser for OIDC authentication)
cosign sign myregistry.io/myapp:v1.0

# In CI/CD (GitHub Actions), use --yes flag
cosign sign --yes myregistry.io/myapp:v1.0

# Verify keyless signature with identity
cosign verify \
  --certificate-identity user@example.com \
  --certificate-oidc-issuer https://github.com/login/oauth \
  myregistry.io/myapp:v1.0

# Verify in GitHub Actions workflow
cosign verify \
  --certificate-identity https://github.com/myorg/myrepo/.github/workflows/build.yml@refs/heads/main \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  myregistry.io/myapp:v1.0
# Generate SBOM using syft
syft myregistry.io/myapp:v1.0 -o spdx-json > sbom.spdx.json

# Attach SBOM as attestation
cosign attest --key cosign.key \
  --type spdx \
  --predicate sbom.spdx.json \
  myregistry.io/myapp:v1.0

# Verify attestation
cosign verify-attestation --key cosign.pub \
  --type spdx \
  myregistry.io/myapp:v1.0

# Download and view SBOM
cosign verify-attestation --key cosign.pub \
  --type spdx \
  myregistry.io/myapp:v1.0 | jq -r '.payload' | base64 -d | jq .
```### سياسة التأكيد للمسح الضوئي للثغرات الأمنية
```bash
# Generate key in Google Cloud KMS
cosign generate-key-pair --kms gcpkms://projects/my-project/locations/us-central1/keyRings/cosign/cryptoKeys/signing-key

# Sign image using KMS key
cosign sign --key gcpkms://projects/my-project/locations/us-central1/keyRings/cosign/cryptoKeys/signing-key \
  myregistry.io/myapp:v1.0

# Get public key from KMS
cosign public-key --key gcpkms://projects/my-project/locations/us-central1/keyRings/cosign/cryptoKeys/signing-key > cosign.pub

# Verify using public key
cosign verify --key cosign.pub myregistry.io/myapp:v1.0

# AWS KMS example
cosign sign --key awskms://arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 \
  myregistry.io/myapp:v1.0
# Create vulnerability scan
trivy image --format json --output scan-results.json myregistry.io/myapp:v1.0

# Attach scan results as attestation
cosign attest --key cosign.key \
  --type vuln \
  --predicate scan-results.json \
  myregistry.io/myapp:v1.0

# Create policy file
cat > vuln-policy.cue <<EOF
predicateType: "https://cosign.sigstore.dev/attestation/vuln/v1"
predicate: {
  scanner: {
    name: "trivy"
  }
}
EOF

# Verify against policy
cosign verify-attestation --key cosign.pub \
  --type vuln \
  --policy vuln-policy.cue \
  myregistry.io/myapp:v1.0

# If policy passes, deploy image
kubectl set image deployment/myapp myapp=myregistry.io/myapp:v1.0
```### تكامل GitHub Actions
`@sha256:...`
`--insecure-ignore-tlog`## حالات الاستخدام الشائعة
`--certificate-identity`### حالة الاستخدام 1: التوقيع والتحقق من صورة الحاوية باستخدام زوج مفاتيح
`--certificate-oidc-issuer`

| مشكلة | حل |
|-------|----------|
| **Error: "private key password incorrect"** | Ensure you're using the correct password for your private key. Set `COSIGN_PASSWORD` environment variable for non-interactive use: `export COSIGN_PASSWORD=your-password` |
| **Error: "no matching signatures"** | The image may not be signed, or you're using the wrong public key. Verify with `cosign triangulate IMAGE_URI` to check if signatures exist, and ensure you're using the correct public key. |
| **Error: "UNAUTHORIZED: authentication required"** | You need to authenticate to the registry first. Run `docker login` or use `cosign login` with appropriate credentials before signing or verifying. |
| **Keyless signing fails with "no provider found"** | Enable experimental mode with `export COSIGN_EXPERIMENTAL=1` and ensure you have internet access to reach Fulcio and Rekor services. |
| **Error: "failed to verify certificate identity"** | When verifying keyless signatures, you must specify both `--certificate-identity` and `--certificate-oidc-issuer` flags matching the signer's identity. |
| **Signatures not found after copying image** | Use `cosign copy` instead of `docker tag` or `crane copy` to ensure signatures are copied along with the image. Regular Docker commands don't copy OCI artifacts. |
| **Error: "tlog entry not found"** | The signature may not have been uploaded to Rekor transparency log. Use `--insecure-ignore-tlog` flag only in air-gapped environments or re-sign the image. |
| **Verification fails in air-gapped environment** | Initialize cosign with TUF root: `cosign initialize --mirror https://your-mirror --root root.json`, or use `--insecure-ignore-tlog` and `--insecure-ignore-sct` flags (not recommended for production). |
| **Error: "image is a manifest list"** | Sign the specific platform image instead of the manifest list, or use `cosign sign --recursive` to sign all images in the manifest list. |
| **Attestation verification fails with policy** | Check your CUE policy syntax with `cue vet policy.cue`. Ensure the predicateType matches exactly. Use `cosign verify-attestation --output json` to inspect actual attestation structure. |
| **Error: "failed to get public key from KMS"** | Verify your cloud credentials are configured (`gcloud auth`, `aws configure`, `az login`) and you have permissions to access the KMS key. Check the KMS key URI format is correct. |### حالة الاستخدام 2: التوقيع بدون مفاتيح مع GitHub Actions
`--attachment-tag-prefix`