The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Cosign


Cosign

Sigstore - Cosign - Cryptographic Signing tool


Overview

What is Code Signing?

It’s a feature offered as a NextGen CICD step that can sign and verify software artifacts, such as container images and blobs (including extra artifacts like SBOMs).

Software Factory is offering the way to integrate code signing into your CI/CD pipeline but it is not offering a key management or PKI service. At this time there is no solution offered at Thales level for the PKI service or encryption key management lifecycle so it is the project’s responsability to choose these tools.

In the future we would like to offer an integration with such services, once they will exist at Thales level.

For now we support integration with Azure Key Vault but other key managers can be added if it is needed.

The software used for code signing is Cosign utility tool from Sigstore Sigstore is an open source project for improving software supply chain security.

The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more.

NEEDS AND REQUIREMENTS

Why cryptographic signing and why you should use it?

In a landscape of growing software supply chain vulnerability, unsigned software is at risk for several attack vectors, such as:

  • Typosquatting packages with similar names
  • Compromised site where package is hosted
  • Tampering after being published

Digital signatures are a way to verify the authenticity of a software artifact.

Software consumers can trace software back to the source to know who created the artifact and that it has not been altered or tampered with after it was signed.

For more information about Sigstore, see Why Cryptographic Signing .

LIST OF FEATURES

Feature NameLevel of availability (EA/GA)Description
Sign an artifact with a generated keypairEASign/Verify with Cosign generated keypairs
Sign an artifact with your own keypairEASign/Verify with your own keypair stored in Azure Key Vault

Note: Cosign supports RSA, ECDSA, and ED25519 keys. For RSA, Cosign only supports RSA PKCS#1.5 padded keys.


Get Started

After having access to Software Factory, you can use the NextGen CICD Step through the GUI and add steps in your pipeline to sign your artifacts. See the Cosign pipeline where signing steps are implemented.

How to

How to subscribe?

via Software-factory > get-access

What is the pricing ?

Code Signing is included in the DevSecOps package .

Service level and operations information

Service Level

Please see service-level-and-operation-information

DRP (Disaster Recovery Plan)

Included in GitLab.

Service Monitoring

Included in GitLab.

Service Maintenance

RACI

  • Responsible, Accountable, Consulted, Informed
ActionDescriptionFactory SupportSoftware SolutionBusiness adminProject team adminProject team memberRequest *
Use of NextGen CICD Code Signing stepSign and verify container images and filesARN/A
Management of cryptographic keysThe generation, distribution and destruction of keys that will be used to sign artefactsR/ARN/A
Key storage and accessThe safe storage and access to the keys for the NextGen CICD Code Signing stepR/ARN/A