Skip to content

Commit

Permalink
Readme fixes and improvements (#448)
Browse files Browse the repository at this point in the history
Signed-off-by: João Pereira <[email protected]>
  • Loading branch information
joaodrp authored Jul 17, 2021
1 parent 9c61577 commit 48a2f82
Showing 1 changed file with 16 additions and 15 deletions.
31 changes: 16 additions & 15 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,13 +126,10 @@ The following checks were performed on these signatures:
OCI registries are useful for storing more than just container images!
`Cosign` also includes some utilities for publishing generic artifacts, including binaries, scripts, and configuration files using the OCI protocol.

### Blobs

OCI registries are useful for storing more than just container images!
`Cosign` also includes some utilities for publishing generic artifacts, including binaries, scripts, and configuration files using the OCI protocol.

This section shows how to leverage these for an easy-to-use, backwards-compatible artifact distribution system that integrates well with the rest of Sigstore.

### Blobs

You can publish an artifact with `cosign upload blob`:

```shell
Expand Down Expand Up @@ -196,11 +193,11 @@ The signature, claims and transparency log proofs are all verified automatically

#### Tekton Bundles

(Tekton)[https://tekton.dev] bundles can be uploaded and managed within an OCI registry.
The specification is [here]https://tekton.dev/docs/pipelines/tekton-bundle-contracts/.
[Tekton](https://tekton.dev) bundles can be uploaded and managed within an OCI registry.
The specification is [here](https://tekton.dev/docs/pipelines/tekton-bundle-contracts/).
This means they can also be signed and verified with `cosign`.

Tekon Bundles can curently be uploaded with the [tkn cli](github.com/tekton/cli), but we may add this support to
Tekton Bundles can currently be uploaded with the [tkn cli](github.com/tekton/cli), but we may add this support to
`cosign` in the future.

```shell
Expand Down Expand Up @@ -250,7 +247,7 @@ Today, `cosign` has been tested and works against the following registries:
* Azure Container Registry
* JFrog Artifactory Container Registry
* The CNCF distribution/distribution Registry
* Gitlab Container Registry
* GitLab Container Registry
* GitHub Container Registry
* The CNCF Harbor Registry
* Digital Ocean Container Registry
Expand Down Expand Up @@ -325,7 +322,7 @@ That looks like:
**Note:** This can be generated for an image reference using `cosign generate <image>`.

I'm happy to switch this format to something else if it makes sense.
See [https://github.com/notaryproject/nv2/issues/40] for one option.
See https://github.com/notaryproject/nv2/issues/40 for one option.


#### Registry Details
Expand All @@ -338,7 +335,7 @@ Similarly, they **can** easily be copied from one environment to another, but th
automatic.

Multiple signatures are stored in a list which is unfortunately "racy" today.
To add a signtaure, clients orchestrate a "read-append-write" operation, so the last write
To add a signature, clients orchestrate a "read-append-write" operation, so the last write
will win in the case of contention.

##### Specifying Registry
Expand Down Expand Up @@ -407,8 +404,6 @@ Right now cosign supports Hashicorp Vault, AWS KMS, and GCP KMS, and we are hopi

See the [KMS docs](KMS.md) for more details.

```
### OCI Artifacts

Push an artifact to a registry using [oras](https://github.com/deislabs/oras) (in this case, `cosign` itself!):
Expand Down Expand Up @@ -630,17 +625,23 @@ $ cosign verify -key cosign.pub dlorenc/demo | jq .
"sig": "original"
}
}
```

# Now give that signature a memorable name, then sign that
Now give that signature a memorable name, then sign that:

```shell
$ crane tag $(cosign triangulate dlorenc/demo) mysignature
2021/02/15 20:22:55 dlorenc/demo:mysignature: digest: sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e size: 556
$ cosign sign -key cosign.key -a sig=counter dlorenc/demo:mysignature
Enter password for private key:
Pushing signature to: dlorenc/demo:sha256-71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e.sig
$ cosign verify -key cosign.pub dlorenc/demo:mysignature
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e"},"Type":"cosign container image signature"},"Optional":{"sig":"counter"}}
```

Finally, check the original signature:

# Finally, check the original signature
```shell
$ crane manifest dlorenc/demo@sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e
{
"schemaVersion": 2,
Expand Down

0 comments on commit 48a2f82

Please sign in to comment.