Using Cosign and Valint

Cosign is an open source that strives to provide a seamless signing infrastructure. Valint integrates with the cosign CLI tool and the Sigstore verification process.

Signing and Verifying using cosign keys

Use Valint to sign and verify with Cosign generated keys.

cosign generate-key-pair
valint [slsa,evidence,bom,verify] <target> --key cosign.key --pubkey cosign.pub --pass <key_pass>

For more details see Signing with Self-Managed Keys

Verifying using cosign (Keyless)

Use Valint to generate the SLSA provenance document attestation and attach it to an OCI registry, and use cosign keyless flow to verify the attestation.

Valint pushes the attestations to OCI for cosign to consume downstream (see also cosign verify-attestation)

# Generate SLSA Provenance attestation
valint slsa [image] -o attest -f --oci

# Verify attestation using cosign
cosign verify-attestation --type https://slsa.dev/provenance/v1 \
 --certificate-identity=name@example.com  --certificate-oidc-issuer=https://accounts.example.com \
 [image]

Verifying using cosign (X509)

Use cosign to verify the attestation with an X509 CA.

# Generate SLSA Provenance attestation
valint slsa [image] -o attest -f --oci \
 --attest.default x509 \
 --cert cert.pem \
 --ca ca-chain.cert.pem \
 --key key.pem

# Verify attestation using cosign
cosign verify-attestation --type https://slsa.dev/provenance/v1 \
  --certificate-identity=name@example.com \
  --certificate cert.pem \
  --certificate-chain ca-chain.cert.pem \
  --certificate-oidc-issuer-regexp='.*' \
  --insecure-ignore-tlog=true \
  --insecure-ignore-sct=true \
  [image]

• --insecure-ignore-tlog, skipping Rekor Transparency log.
• --insecure-ignore-sct, skipping Rekor Transparency log Signed Certificate Timestamp.
• --certificate-oidc-issuer-regexp='.*, Ignore the Keyless specific OIDC extension.

Both Signing and Verifying using cosign (X509)

You can create predicates for any attestation format (SBOM, SLSA), and then use Cosign to verify the attestation.

The example below uses a keyless (Sigstore) flow. You can use any of the Cosign signing capabilities (see cosign verify-attestation)

# Generate SLSA Provenance statement
valint slsa [image] -o statement -f --output-file valint_statement.json

# Extract predicate
cat valint_predicate.json | jq '.predicate' > valint_predicate.json

# Sign and OCI store using cosign
cosign attest --predicate  valint_predicate.json [image] --type https://slsa.dev/provenance/v1

# Verify attestation using cosign
cosign verify-attestation [image] --type https://slsa.dev/provenance/v1 \
 --certificate-identity=name@example.com  --certificate-oidc-issuer=https://accounts.example.com

X509 Certificate Constraints​

• Certificate must include a Subject Alternate Name extension.
  • URI or Email SAN identity.
• Certificate must include a Extended Key Usage extension
  • Code Signing OID 1.3.6.1.5.5.7.3.3
• Certificate isn't expired.

You can make sure the certificate includes these values using the following command:

openssl req -noout -text -in cert.pem

Note the X509v3 extensions, For example:

X509v3 extensions:
   X509v3 Extended Key Usage:
       Code Signing
   X509v3 Subject Alternative Name: critical
       email:name@example.com
   ...