Image Signing with Devtron

2 years ago   •   3 min read

By Anurag, Kunal Verma,

When it comes to cloud native ecosystem, containers are one of the most fundamental things, and it’s one of the most important part of the whole equation. In recent years, we have seen attackers attacking the supply chain space to exploit the vulnerabilities. Some famous examples include SolarWinds attack.

Here is a pictorial representation of some potential container security threats revolving around the ecosystem:

Container Security Threats
Container Security Threats

Even in 2022 the trend continues. Some major innovations in this space is done by a collaboration of many companies including Google, VMware, Chainguard and others.

In this blog, we will talk about the cosign project, which is a part of Sigstore. We will look how we can automate the signing of our images using Devtron.

Set the global configurations

Make sure that the global configurations are set correctly, and you’ve attached your container registry to Devtron.

New Container Registry
New Container Registry

After this step, you need to go to application section and create an application. In this tutorial I’m choosing a custom application but if you want you can choose according to your choice.

Custom App
Custom App

After this, give a name to your application and select the project you want to.

Create Custom App
Create Custom App

Now, after this, you need to complete the application specific settings in order to move ahead.

App Configurations
App Configurations

For the reference, you can try this sample go application by Devtron team.

Now, let’s setup continuous integration for our application. After setting this up, the container image will be built and that will be pushed to DockerHub.

CI Pipeline
CI Pipeline

After setting up the continuous integration, we will use the following image post-build task to sign our image. Go to the post build stage and select custom script.

Post-build Stage
Post-build Stage

We need to write a custom script which will install cosign and sign the container image that we have built during the CI step.

I will use the custom script below to sign the container image that we have built.

#!/bin/sh
set -eo pipefail
#set -v  ## uncomment this to debug the script

curl -sLS https://get.arkade.dev | sh
arkade get cosign
mv ~/.arkade/bin/cosign /usr/local/bin
export COSIGN_PASSWORD=""
cosign generate-key-pair
export IMAGENAME=$(docker images | head -2 | tail -1 | awk '{print $1}')
echo $IMAGENAME
export TAG=$(docker images | head -2 | tail -1 | awk '{print $2}')
echo $TAG
export IMAGE=$IMAGENAME:$TAG
echo $IMAGE
docker push $IMAGE
cosign sign --key cosign.key $IMAGE

Update the pipeline and go to build and deploy section. Choose the latest commit and then start the build.

After few minutes, the build will be successful and looking the logs you will notice that the signature is pushed to your docker registry.

Build History
Build History

Now, If you will look at the docker registry, then you notice a signature being pushed to your registry.

Docker Hub
Docker Hub


You can also verify the same using the terminal, you can use the cosign triangulate command here.

cosign triangulate vkunal/test:cf31719a-5631-8295

You will get your signature as the output, which basically shows that your image is signed.

You can learn more about Devtron here. Feel free to join our Discord community and share your experiences or doubts.

Spread the word

Keep reading