From f01dd724d29e0f407287af2270226322b7f50422 Mon Sep 17 00:00:00 2001 From: hayleycd Date: Mon, 9 Sep 2024 22:29:52 -0700 Subject: [PATCH] Addressing comments about formatting and signing with a generated key. Signed-off-by: hayleycd --- .../key_management/hardware-based-tokens.md | 3 --- content/en/quickstart/quickstart-cosign.md | 19 +------------------ 2 files changed, 1 insertion(+), 21 deletions(-) diff --git a/content/en/cosign/key_management/hardware-based-tokens.md b/content/en/cosign/key_management/hardware-based-tokens.md index f5d2dfec..3fdd5046 100644 --- a/content/en/cosign/key_management/hardware-based-tokens.md +++ b/content/en/cosign/key_management/hardware-based-tokens.md @@ -9,14 +9,11 @@ The `cosign` command line tool optionally supports hardware tokens for signing a This support is enabled through the [PIV protocol](https://csrc.nist.gov/projects/piv/piv-standards-and-supporting-documentation) and the [go-piv](https://github.com/go-piv/piv-go) library, which is not included in the standard release. Use `make cosign-pivkey-pkcs11key`, or `go build -tags=pivkey,pkcs11key ./cmd/cosign`, to build `cosign` with support for hardware tokens. ---- ## Background information Cosign's hardware token support requires `libpcsclite` on platforms other than Windows and OSX. See [`go-piv`'s installation instructions for your platform.](https://github.com/go-piv/piv-go#installation) ---- - We recommend using an application provided by your hardware vendor to manage keys and permissions for advanced use-cases, but `cosign piv-tool` should work well for most users. The following exmamples use this image: diff --git a/content/en/quickstart/quickstart-cosign.md b/content/en/quickstart/quickstart-cosign.md index 6c504be2..848c76ba 100644 --- a/content/en/quickstart/quickstart-cosign.md +++ b/content/en/quickstart/quickstart-cosign.md @@ -16,7 +16,7 @@ Cosign is a command line utility that is used to sign software artifacts and ver Language specific clients (like [sigstore-python](https://github.com/sigstore/sigstore-python)) are other options for signing and verifying, but Cosign is a great, language agnostic place to start. -This quickstart will walk you through how to sign and verify a blob and a container. Although keyless signing is recommended, this quickstart will also show you how to sign using a generated key. +This quickstart will walk you through how to sign and verify a blob and a container. ### Installation @@ -98,23 +98,6 @@ $ cosign verify --certificate-identity=name@example.com cosign verify $IMAGE_URI_DIGEST --certificate-identity-regexp=.* --certificate-oidc-issuer-regexp=.* ``` -## Signing with a generated key - -It is recommended that you use keyless signing, as a main feature of Sigstore is to make signatures invisible infrastructure that do not require key management. However, Sigstore allows you to use an existing key or generate a key if you prefer. - -To generate keys using Cosign, use the `cosign generate-key-pair` command. - -``` -$ cosign generate-key-pair -``` - -The following example shows the process of signing with an existing key. You must enter the password of the private key to sign. - -``` -$ cosign sign --key cosign.key user/demo -Enter password for private key: -Pushing signature to: index.docker.io/user/demo:sha256-87ef60f558bad79be4def8.sig -``` ## SCM Integration Cosign integrates natively with source code management (SCM) systems like GitHub and GitLab. You can use the official [GitHub Actions Cosign installer](https://github.com/marketplace/actions/cosign-installer) or use Cosign to generate and work safely with [SCM secrets]({{< relref "cosign/signing/git_support">}}) with native API integration.