How `cosign` uses container registries to store signatures

# How `cosign` uses container registries to store signatures In this page, we will focus on the example of the cert-manager signed builds. Currently, cert-manager already offers signed containers. A signed container is a container present on a container registry for which there exists a tag of the form `sha256-<digest>.sig`. For example, with the tag `v1.8.0` of cert-manager, cosign has pushed another tag: ![](https://i.imgur.com/UEUIlRT.png) > By digest, we mean the SHA-256 hash of the JSON manifest served by the registry. For example, with the tag v1.8.0, we can compute the digest: > > ```console > $ go install github.com/google/go-containerregistry/cmd/crane@latest > $ crane manifest quay.io/jetstack/cert-manager-controller:v1.8.0 | sha256sum > e1642bf8e93357165c9f0b027397ce79fdbda8cd609ee048c69284da01401c6c - > ``` > > The digest matches the digest in the signature tag. Note that the image pushed by cosign at that sha256-<digest>.sig tag contains nothing. Everything is in the manifest itself. We can see that by looking at the contents of the container image: ```sh crane pull quay.io/jetstack/cert-manager-controller:sha256-e1642bf8e93357165c9f0b027397ce79fdbda8cd609ee048c69284da01401c6c.sig sig tar fxO sig $(tar fxO sig $(tar fxO sig manifest.json | jq -r '.[0].Config') | jq -r '.rootfs.diff_ids[0]' | sed 's/^sha256:$.*$/\1.tar.gz/') | jq ``` The container image just contains a useless JSON blob: ```json { "critical": { "identity": { "docker-reference": "quay.io/jetstack/cert-manager-controller" }, "image": { "docker-manifest-digest": "sha256:e1642bf8e93357165c9f0b027397ce79fdbda8cd609ee048c69284da01401c6c" }, "type": "cosign container image signature" }, "optional": null } ``` The manifest contains the signature, we can get the manifest with the following command: ```sh crane manifest quay.io/jetstack/cert-manager-controller:sha256-e1642bf8e93357165c9f0b027397ce79fdbda8cd609ee048c69284da01401c6c.sig | jq ``` Here is the manifest: ```json { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json", "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "size": 233, "digest": "sha256:5261c1c5f8b490bcc8c4781a5be9c3a0601411e2de82278816d2920aaf2cfb4c" }, "layers": [ { "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json", "size": 256, "digest": "sha256:03841144c6f7b4a3437ea72a3cd37f420d199fd2faa5cf35b03ab70daa5eab84", "annotations": { "dev.cosignproject.cosign/signature": "WDQq9dhDIRIR5KoulyEhWk13vVfXvlzeNLAwV2McYp71FS1dJdngmp8w98HKEuwRnh/qNTVfEe3vPsnDaRqBpjX3hShj/DudSTGT150OjpbOl1cKbqq64wnKDKdBt1e9FwTSx/cQcQg6XIer9J3TcpmaCsGIhpEdTgHQXzTvoOWuzThN4HP0jp6w92jajX3C7MJOonksFa3E/6iT4PYT/X3vFpJUNgSsL2mJkgcYyY3rmoUo8puhBEqbpeb/v0Wn0Rgnse7o3zdPGmgLGRrcS0pzF70aR6Ut+D3beOmPa1ikcqMafFDTgk3WxKHkI+AsKJBJXIBG25uL8ZZyxxdexv9hfDGVnJd1JLSbagRhmLFhqvvGtgSTDxqbMTorxfDRG3M5KnQ5HsEu7NdS0l9BFgQL5lZayldbF5xdPk+KLqOKusM5rAm1m4DzCJmedKyAsbgfvve/GZ1IZCtztC7lFPMdrFqS/Xt/5yqsL3F6CM7Q0n1LzhBhThtpdSwJlw606sijStyceoAO2ZRWmKkZrbz3xfMfPlWqWi/pBLrw3QkzJrbUi/LRzgIwHEx1tBTUtSA/ZykaohDqWzvgj7+3/hiPZ3V8BO22SPINFr37TRuLuSr0Ikup9Eb66lKmzg+2uaelXTJcQUEXf3Gs8lPZ8D87qrxKAHCd0ylR7SzVgfc=" } } ] } ```