Secure Container Images: Integrate Cosign with Harbor

As container technology and microservice architecture become widespread, securing container images is crucial. Harbor is an enterprise‑grade registry that stores and distributes images while providing vulnerability scanning and authentication. Cosign is an open‑standard signing tool that verifies image identity and integrity. This article shows how to integrate Cosign into Harbor to strengthen image security.

Deploy Cosign

<code>$ curl -O -L https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
$ chmod +x cosign-linux-amd64
$ sudo mv cosign-linux-amd64 /usr/local/bin/cosign</code>

<code>$ cosign version
  ______   ______        _______. __    _______.__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  |.----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |_| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.4.0
GitCommit:     b5e7dc123a272080f4af4554054797296271e902
GitTreeState: clean
BuildDate:     2024-08-06T21:39:53Z
GoVersion:     go1.22.5
Compiler:      gc
Platform:      linux/amd64</code>

Generate Key Pair

<code>$ cosign generate-key-pair
Enter password for private key:
Enter password for private key again:
Private key written to cosign.key
Public key written to cosign.pub</code>

<code>$ ls -lrt cosign.*
-rw-------. 1 ops ops 653 Aug 31 20:13 cosign.key
-rw-r--r--. 1 ops ops 178 Aug 31 20:13 cosign.pub</code>

Sign and Verify Container Image

<code>$ sudo curl -k -o /etc/pki/ca-trust/source/anchors/core.jiaxzeng.com.crt https://core.jiaxzeng.com/api/v2.0/systeminfo/getcert
$ sudo update-ca-trust extract</code>

<code>$ cosign sign --key cosign.key --registry-username=admin --registry-password=Harbor12345 core.jiaxzeng.com/library/tools@sha256:fde527bff0c89d6cefbf8fac19e7c6e8266766641f4a8610e4f7c2154ca86252 -y
Enter password for private key:

The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
This may include the email address associated with the account with which you authenticate your contractual Agreement.
This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
tlog entry created with index: 126476166
Pushing signature to: core.jiaxzeng.com/library/tools</code>

Parameter Explanation

--key : specify Cosign private key

--registry-username : Harbor registry account

--registry-password : Harbor registry password

-y : skip confirmation prompts for non‑destructive operations

Harbor Verification

After signing, Harbor can verify the signature using the stored public key, confirming the image’s integrity and provenance.

Integrating Cosign with Harbor enhances container image security, ensuring integrity and trust throughout the image lifecycle. Adopting such tools is essential for maintaining a secure software supply chain.