Sigstore cosign integration

As a component of the Sigstore project, the cosign command supports container signing, verification, and storage in an Open Container Initiative (OCI) registry to move data center operations towards a signatures invisible infrastructure. The stated purpose for the sigstore project is to empower developers to securely sign software artifacts, such as release files, binaries, container images, binaries, bill of material manifests, and more. See sigstore Overview, Cosign Overview, and cosign on GitHub.

The Sigstore > cosign project supports PKCS#11 so signing operations can happen within PKCS#11-enabled environments, such as CyberArk Code Sign Manager - Self-Hosted and other HSM solutions.Code Sign Manager - Self-Hosted's certificate and key pair environments have been tested and verified as compatible.

NOTE  The following documentation provides environment-specific commands and examples for setting up and using cosign. Make sure to replace the example names, paths, and variables with those appropriate for your environment.

Prerequisites

  • Sigstore cosign 1.3 or newer.

  • Code Sign Manager - Self-Hosted 21.4 or newer.

  • Access to container registry, e.g. Docker Hub.

Steps

  1. Make sure that Code Sign Client 21.4 or newer is properly installed with PKCS#11 configured on the signing workstation.

  2. Download and install cosign 1.3 or newer. Make sure the version has support enabled for PKCS11key, which is specified by pivkey-pkcs11key in its filename. For example, https://github.com/sigstore/cosign/releases/download/v1.8.0/cosign-linux-pivkey-pkcs11key-amd64.

  3. List tokens.

    cosign pkcs11-tool list-tokens --module-path /usr/local/lib/venafipkcs11.so

  4. List key URIs.

    cosign pkcs11-tool list-keys-uris --module-path /Library/Venafi/CodeSigning/lib/venafipkcs11.so

    EXAMPLE OUTPUT

    Object 0

    Label: MyLabel

    ID: 446576656c6f706d7669726f6e6d656e

    URI: pkcs11:token=Remote%20Token;slot-id=0;id=%44%65%76%65%6c%6f%70%6d%65%6e%74;object=Development?module-path=/usr/local/lib/venafipkcs11.so&pin-value=34

  5. Sign a container manifest.

    ./cosign sign --key "pkcs11:token=Remote%20Token;slot-id=0;id=%44%65%76%65%6c%6f%70%6d%65%6e%74;object=MyLabel?module-path=/usr/local/lib/venafi/venafipkcs11.so&pin-value=sdf" pathname/my-dashboard

  6. List key URIs.

    ./cosign verify --key "pkcs11:token=Remote%20Token;slot-id=0;id=%44%65%76%65%6c%6f%70%6d%65%6e%74;object=MyLabel?module-path=/usr/local/lib/venafi/venafipkcs11.so&pin-value=sdf" pathname/my-dashboard

Troubleshooting

For enhanced troubleshooting, you can enable detailed PKCS#11 logging by substituting <library_path>/venafipkcs11.so with <library_path>/venafipkcs11spy.so.

FAQ

  • What Code Sign Manager - Self-Hosted environments are compatible?

    Certificate and key pair environments have been tested and verified to be compatible.