DevSecOps & Supply Chain Security

Signing & Verification

18 min Lesson 8 of 28

Signing & Verification

Every modern supply-chain attack exploits the same trust gap: a consumer — a Kubernetes cluster, a CI runner, a developer's workstation — fetches an artifact and has no way to prove it came from the source it claims. The artifact could have been swapped in transit, on the registry, or inside the build system itself. Artifact signing closes this gap by binding a cryptographic signature to the artifact at build time and verifying that signature before any consumption happens. This lesson covers the state-of-the-art open-source tooling — Sigstore / Cosign — and how to enforce verification at the Kubernetes admission layer so that unsigned or unverifiable images can never run in production.

Why Traditional Key Management Fails at Scale

Before Sigstore, signing artifacts meant managing long-lived GPG or OpenSSL private keys. At big-tech scale this creates three compounding problems. First, key distribution: every consumer must receive and trust the public key out-of-band — a bootstrapping problem with no clean solution. Second, key rotation: a compromised signing key invalidates all previous signatures, but revoking and redistributing keys across hundreds of teams is operationally painful. Third, attribution is opaque: a signature proves possession of a private key, not the identity of the human or CI job that actually triggered the build. If the key leaks, there is no way to distinguish legitimate from malicious signatures.

Key idea: Sigstore replaces long-lived private keys with ephemeral keypairs tied to OIDC identity tokens. The private key exists only during the signing operation and is immediately discarded. What persists is a certificate issued by Fulcio (Sigstore\'s certificate authority) that binds the ephemeral public key to a verified OIDC subject — such as a GitHub Actions workflow URL. The signature and certificate are recorded in Rekor, an immutable, append-only transparency log, so any verifier can audit who signed what and when.

Sigstore Architecture: Fulcio, Rekor, and Cosign

Sigstore signing and verification flow CI/CD Build (GitHub Actions) OIDC Provider GitHub / Google Fulcio CA Issues short-lived cert Rekor Transparency Log OCI Registry Image + Signature Admission Controller (Policy) 1. OIDC token 2. Token 3. Cert 4. Push img+sig 5. Record entry 6. Fetch sig 7. Verify log
Sigstore signing flow: CI exchanges an OIDC token for a short-lived Fulcio cert, signs the image, records the entry in Rekor, and the admission controller verifies before any workload can run.

Signing a Container Image with Cosign (keyless mode)

In GitHub Actions, the workflow runs with an OIDC token by default. Cosign detects this and performs the entire Fulcio/Rekor dance transparently. You need zero key management:

# .github/workflows/build-sign.yml (relevant signing step) - name: Install Cosign uses: sigstore/cosign-installer@v3 - name: Build & push image run: | docker build -t ghcr.io/my-org/my-app:${{ github.sha }} . docker push ghcr.io/my-org/my-app:${{ github.sha }} - name: Sign image (keyless — requires id-token: write permission) env: COSIGN_EXPERIMENTAL: "1" run: | cosign sign \ --yes \ ghcr.io/my-org/my-app:${{ github.sha }}

The --yes flag skips the interactive confirmation prompt, which is required in CI. COSIGN_EXPERIMENTAL=1 enables keyless mode (now the default in Cosign v2, but still a common pattern in older pipelines). After this step, the signature is stored as a separate OCI artifact in the same registry namespace — Cosign uses the convention sha256-<digest>.sig.

To verify a signature locally or in a script:

# Verify keyless signature from a GitHub Actions workflow cosign verify \ --certificate-identity-regexp "^https://github.com/my-org/my-app/.github/workflows/.*" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ ghcr.io/my-org/my-app:sha256-abc123 # Output (on success) — JSON array of verified payloads: # [{"critical":{"identity":{"docker-reference":"ghcr.io/my-org/my-app"}, # "image":{"docker-manifest-digest":"sha256:abc123"},...},...}]
Production practice: Pin the --certificate-identity-regexp to a specific workflow file path (e.g., .github/workflows/release.yml), not a wildcard. A broad regexp like .* would accept signatures from any workflow in the repo, including pull-request workflows that run untrusted code. The OIDC issuer lock-down is equally critical — always specify --certificate-oidc-issuer explicitly.

Enforcing Signatures at Kubernetes Admission Control

Signing without mandatory verification at the cluster boundary is security theater. The enforcement layer is a Kubernetes admission webhook that intercepts every Pod create/update request and rejects it if the image lacks a valid Cosign signature. Two mature options exist at big-tech scale:

  • Policy Controller (from Sigstore) — a standalone admission webhook that reads ClusterImagePolicy CRDs. The recommended path for pure Sigstore setups.
  • Kyverno — a general Kubernetes policy engine with built-in Cosign verification; preferred when you already use Kyverno for other policies.

The following example uses the Sigstore Policy Controller:

# Install Policy Controller via Helm helm repo add sigstore https://sigstore.github.io/helm-charts helm install policy-controller sigstore/policy-controller \ --namespace cosign-system --create-namespace \ --set config.namespace=prod-namespace --- # ClusterImagePolicy: require keyless signatures from our CI workflow apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: require-signed-images spec: images: - glob: "ghcr.io/my-org/**" authorities: - keyless: url: https://fulcio.sigstore.dev identities: - issuer: https://token.actions.githubusercontent.com subjectRegExp: "https://github.com/my-org/.*/.github/workflows/release.yml@refs/heads/main" ctlog: url: https://rekor.sigstore.dev

With this policy applied to the prod-namespace, any Pod referencing an image from ghcr.io/my-org/** that does NOT have a valid signature from the specified CI workflow is rejected with a 403 Forbidden before any container process starts. Namespaces not labelled for enforcement are unaffected — a common pattern is to enforce in prod first, then roll out to staging.

Production pitfall — digest pinning: Signing a tag (e.g., :latest or :1.2.3) is insufficient because tags are mutable. An attacker who can push to the registry can move the tag to an unsigned image. Always sign and verify by digest (sha256:...). In Kubernetes, configure your CD tool (ArgoCD, Flux) to resolve and pin to the digest before admission control sees the pod spec. Cosign signs the manifest digest; the Policy Controller verifies the digest — as long as you do not use mutable tags end-to-end, you are protected.

Verifying Attestations: Going Beyond the Signature

Cosign can also attach and verify structured attestations — signed metadata about the image such as SBOM documents, SLSA provenance records, or vulnerability scan results. This is how big-tech companies prove not just "this image was signed" but "this image was built from commit X, passed SAST with zero criticals, and its SBOM is attached." The cosign attest and cosign verify-attestation commands handle this workflow using the in-toto attestation format:

# Attach a signed SLSA provenance attestation cosign attest \ --yes \ --predicate provenance.json \ --type slsaprovenance \ ghcr.io/my-org/my-app@sha256:abc123 # Verify the attestation at deploy time cosign verify-attestation \ --type slsaprovenance \ --certificate-identity-regexp "^https://github.com/my-org/.*" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ ghcr.io/my-org/my-app@sha256:abc123 \ | jq '.payload | @base64d | fromjson'
Key idea: The Kubernetes Policy Controller can enforce attestation requirements too — not just signatures. A ClusterImagePolicy authority can include a attestations block that requires a valid SLSA provenance predicate, a Trivy scan result with zero criticals, or any custom predicate. This turns admission control into a full supply-chain gate, not just a signing checkbox.

Failure Modes and Operational Concerns

Signature verification adds latency to pod scheduling (the admission webhook must reach the registry and optionally Rekor). At Google-scale this is typically 50–200 ms per unique image digest, cached aggressively by the Policy Controller. Three operational concerns to plan for:

  • Webhook availability: If the Policy Controller pod is down, pods will fail to schedule (fail-closed behavior). Deploy it with at least two replicas, a PodDisruptionBudget, and a node affinity that keeps it on control-plane nodes or dedicated system nodes.
  • Registry air-gap: In air-gapped environments, Rekor and Fulcio are unavailable. Either run a self-hosted Sigstore stack (sigstore-the-hard-way or the sigstore/scaffolding Helm chart), or use key-based signing with a Hardware Security Module (HSM) instead of keyless mode.
  • Bootstrap exception: The Policy Controller image itself must be excluded from its own policy to avoid a circular dependency during cluster bootstrapping. Always add an explicit namespace or image exception for cosign-system.
Previous Lesson SBOMs & Provenance
Next Lesson Secrets Scanning & Leak Response
Back to Course

ES
Edrees Salih
1 hour ago

We are still cooking the magic in the way!