Procedural on

How to Install Sigstore Policy Controller

Tue, 21 Feb 2023 13:11:29 +0829

The Sigstore Policy Controller is a Kubernetes admission controller that can verify image signatures and policies. You can define policies using the CUE or Rego policy languages.

This guide will demonstrate how to install the Policy Controller in your Kubernetes cluster and enable policy enforcement.

Prerequisites

To follow along with this guide, you will need the following:

How to Install the Rekor CLI

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

Follow this tutorial for an overview of how to install rekor-cli.

To install the Rekor command line interface (rekor-cli) with Go, you will need Go version 1.16 or greater. For Go installation instructions, see the official Go documentation. If you have Go installed already, you can check your Go version via this command.

go version

If Go is installed, you’ll receive output similar to the following.

How to Install Cosign

Wed, 13 Jul 2022 08:49:31 +0000

An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course.

Cosign supports software artifact signing, verification, and storage in an OCI (Open Container Initiative) registry. By signing software, you can authenticate that you are who you say you are, which can in turn enable a trust root so that developers and consumers who leverage your software can verify that you created the software artifact that you have said you’ve created. They can also ensure that that artifact was not tampered with by a third party. As someone who may use software libraries, containers, or other artifacts as part of your development lifecycle, a signed artifact can give you greater assurance that the code or container you are incorporating is from a trusted source.

How to Query Rekor

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

Rekor is the transparency log of Sigstore, which stores records of artifact metadata. Before querying Rekor, you should have the rekor-cli installed, which you can achieve by following the “How to Install the Rekor CLI” tutorial.

In order to access the data stored in Rekor, the rekor-cli requires either the log index of an entry or the UUID of a software artifact.

How to Sign a Container with Cosign

Wed, 13 Jul 2022 13:26:54 +0100

An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course.

Cosign is a tool you can use to sign software artifacts, which in turn allows you to verify that you are who you say you are, instilling trust across the software ecosystem. Signing software also allows people to understand the provenance of the software, and prevents tampering.

Let’s step through signing a container with Cosign. We are using a container to provide a sense of how you may use Sigstore with containerized workloads, but the steps we are taking to sign a container are very similar to the steps that we would take to sign any other software artifact that can be published in a container registry, and we will discuss signing blobs a little later.

How to Sign and Upload Metadata to Rekor

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

This tutorial will walk you through signing and uploading metadata to the Rekor transparency log, which is a project of Sigstore. In order to follow along, you’ll need the rekor-cli installed, which you can accomplish by following the “How to Install the Rekor CLI” tutorial.

We will use SSH to sign a text document. SSH is often used to communicate securely over an unsecured network and can also be used to generate public and private keys appropriate for signing an artifact.

How to Sign Blobs and Standard Files with Cosign

Wed, 13 Jul 2022 15:22:20 +0100

An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course.

Cosign can sign more than just containers. Blobs, or binary large objects, and standard files can be signed in a similar way. You can publish a blob or other artifact to an OCI (Open Container Initiative) registry with Cosign. This tutorial assumes you have a Cosign key pair set up, which you can achieve by following our Introduction to Cosign guide.

How to Set Up An Instance of Rekor Instance Locally

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

While individual developers may not generally need to set up their own instance of Rekor, it may be worthwhile to set up your own local instance in order to further understand how Rekor works under the hood. We will have multiple terminal sessions running to set up the Rekor server. You may want to use a tool such as tmux to keep terminal sessions running in the background within the same window.

How to Sign an SBOM with Cosign

Wed, 13 Jul 2022 15:22:20 +0100

An earlier version of this material was published in the Cosign chapter of the Linux Foundation Sigstore course.

Cosign, developed as part of the Sigstore project, is a command line utility for signing, verifying, storing, and retrieving software artifacts through interface with an OCI (Open Container Initiative) registry. Cosign can be used to sign attestations, or a verifiable assertion or statement about a software artifact.

What is an Attestation?

An attestation is a cryptographically verifiable statement about a software artifact. Attestations include a subject, a software artifact or artifacts to which the attestation applies, and a predicate, a claim or proposition about the subject. For example, an attestation might assert that a specific container image was built on a specific date using a specific configuration, and that assertion could be cryptographically verified as issuing from a specific organization or entity.

Disallowing Non-Default Capabilities

Thu, 02 Mar 2023 13:11:29 +0829

This guide demonstrates how to use the Sigstore Policy Controller to prevent running containers with extra capabilities. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec, and only allow admission into a cluster if the pod is running with one or many Linux capabilities from defined set of safe capabilities flags.

Prerequisites

To follow along with this guide, you will need the following:

Disallowing Privileged Pods

Thu, 02 Mar 2023 13:11:29 +0829

This guide demonstrates how to use the Sigstore Policy Controller to prevent running containers with elevated privileges. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec, and only allow admission into a cluster if the pod is running without the privileged: true setting.

Prerequisites

To follow along with this guide, you will need the following:

Disallowing Run as Root User

Thu, 02 Mar 2023 13:11:29 +0829

This guide demonstrates how to use the Sigstore Policy Controller to prevent running containers as the root user in a Kubernetes cluster. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec, and only allow admission into a cluster if the pod is running as a non-root user.

Prerequisites

To follow along with this guide, you will need the following:

Maximum Container Image Age

Thu, 02 Mar 2023 13:11:29 +0829

This guide demonstrates how to use the Sigstore Policy Controller to verify image signatures before admitting an image into a Kubernetes cluster. In this guide, you will create a ClusterImagePolicy that checks the maximum age of a container image verifying that isn’t older than 30 days. For that, we’ll attempt to create two distroless images one older than 30 days and a fresh one.

Prerequisites

To follow along with this guide, you will need the following:

Disallowing Unsafe sysctls

Wed, 01 Mar 2023 13:11:29 +0829

This guide demonstrates how to use the Sigstore Policy Controller to only allow pods that use sysctls to modify kernel behaviour to run with the safe set of parameters. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec that uses sysctls, and only allow admission into a cluster if the pod is running a safe set parameters.

Prerequisites

To follow along with this guide, you will need the following:

Verify Signed Chainguard Containers

Wed, 22 Feb 2023 13:11:29 +0829

This guide demonstrates how to use the Sigstore Policy Controller to verify image signatures before admitting an image into a Kubernetes cluster. In this guide, you will create a ClusterImagePolicy that checks for a keyless Cosign image signature, and then test the admission controller by running a signed nginx image.

Prerequisites

To follow along with this guide, you will need the following:

How to Verify File Signatures with Cosign

Wed, 21 Dec 2022 15:22:20 +0100

Cosign can be used to verify binary artifacts (“blobs”) using provided signatures as long as they are published to an OCI registry. In this tutorial, we’ll verify a binary artifact — in this case, a release of apko, a command-line tool for building container images using a declarative language based on YAML. The methods in this tutorial apply to any blob file Cosign has signed with a keyless signature.

This tutorial assumes you have Cosign installed.

Using chainctl to Manage Custom Assembly Resources

Thu, 01 May 2025 11:07:52 +0200

Chainguard’s Custom Assembly is a tool that allows customers to create customized containers with extra packages and annotations added. This enables customers to reduce their risk exposure by creating container images that are tailored to their internal organization and application requirements while still having few-to-zero CVEs.

You can use chainctl, Chainguard’s command-line interface tool, to further customize your Custom Assembly builds and retrieve information about them. This guide provides an overview of the relevant chainctl commands and outlines how you can edit the configuration of Custom Assembly containers, as well as retrieve a list of a customized image’s builds and its build logs.

Subscribing to Chainguard CloudEvents

Thu, 24 Apr 2025 15:22:20 +0100

Chainguard implements CloudEvents, a specification for a standard format for events data. This means developers can use events (generated based on interactions with Chainguard resources) to initiate processes and thus automate certain actions. For example, you could set up infrastructure to listen for push events to an organization’s private registry and mirror any new Chainguard Containers in the registry to a third-party repository.

This article includes an example of how to use chainctl to create an event subscription. It also includes details on how to validate events from Chainguard and highlights some potential use cases for them. This article is primarily focused on Registry push and pull events. Push events occur when an image in your entitlement is added or updated. Pull events occur when an image is pulled from your Chainguard repository. Be aware, though, that there are also events related to IAM, such as user creation and adding identity providers.

How to Pull Packages from Chainguard Package Repositories through Artifactory

Thu, 14 Nov 2024 15:56:52 -0700

This tutorial details how to set up remote Alpine package (apk) repositories with JFrog Artifactory, which can provide pull-through caches for Chainguard package repositories. Specifically, this guide walks you through how to set up remote Artifactory repositories to serve as pull-through caches for a Chainguard Private APK Repository as well as Chainguard’s public package repositories. The guide also outlines how to configure a container image build to pull APK packages from these remote repositories using tokens generated by Artifactory.

Create an Assumable Identity for a GitLab CI/CD Pipeline

Wed, 28 Jun 2023 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines two methods for how to create a Chainguard identity: chainctl and Terraform. It then walks through how to create a GitLab CI/CD pipeline that will assume the identity to interact with Chainguard resources.

Prerequisites

To complete this guide, you will need the following.

Create Role-bindings for a GitHub Team Using Terraform

Sat, 10 Jun 2023 08:48:45 +0000

There may be cases where an organization will want multiple users to have access to the same Chainguard organization. Chainguard allows you to grant other users access to Chainguard by generating an invite link or code.

In addition, you can now grant access to users using Terraform and identity providers like GitHub, GitLab, and Google. You can also manage access through these providers’ existing group structures, like GitHub Teams or GitLab Groups. Granting access through Terraform helps to reduce the risk of unwanted users gaining access to Chainguard.

How To Integrate Okta SSO with Chainguard

Mon, 17 Apr 2023 08:48:45 +0000

The Chainguard platform supports Single sign-on (SSO) authentication for users. By default, users can log in with GitHub, GitLab and Google, but SSO support allows users to bring their own identity provider for authentication.

This guide outlines how to create an Okta application and integrate it with Chainguard. After completing this guide, you’ll be able to log in to Chainguard using Okta and will no longer be limited to the default SSO options.

Rego Policies

Thu, 12 Jan 2023 15:56:52 -0700

The Sigstore Policy Controller supports the Rego Policy Language, which is a declarative policy language that is used to evaluate structured input data such as Kubernetes manifests and JSON documents. This feature enables users to apply policies that can evaluate Kubernetes admission requests and object metadata to make comprehensive decisions about the workloads that are admitted to their clusters. Rego support also enables users to enhance existing cloud-native policies by adding additional software supply chain security checks.

How to Manage Chainguard IAM Organizations

Fri, 15 Jul 2022 15:22:20 +0100

Chainguard provides a rich Identity and Access Management (IAM) model similar to those used by AWS and GCP. This guide outlines how to manage Chainguard’s IAM structures with the chainctl command line tool.

Note: You should work with Chainguard’s Customer Success team to create or delete organizations. This will help to ensure that no users lose access to resources and that your IAM structure is configured correctly.

Logging in

To authenticate into the Chainguard platform, run the following login command.

Create an Assumable Identity to Authenticate from Azure

Fri, 15 May 2026 00:00:00 +0000

Note: If you’re authenticating from a workload running in Azure Kubernetes Service (AKS), refer to the Kubernetes identity guide instead.

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity that can be assumed by an Azure workload — such as a VM, Container App, or Function — using an Azure managed identity and then used to interact with the Chainguard API.

Using GitOps to Manage Custom Assembly Resources

Thu, 29 Jan 2026 11:07:52 +0200

Chainguard’s Custom Assembly is a tool that allows customers to create customized container images with extra packages and annotations added. This enables customers to reduce their risk exposure by creating container images that are tailored to their internal organization and application requirements while still having few-to-zero CVEs. It can be managed in the Chainguard Console, with chainctl, with the API, or via CI/CD.

This guide shows how to use Chainguard Custom Assembly as code via CI/CD, storing your configuration in Git and using automation to apply changes and trigger builds. The examples in this guide focus on GitHub Actions, as seen in Chainguard’s custom-assembly-as-code demo repository.

Create an Assumable Identity for a Kubernetes Pod

Thu, 07 Aug 2025 13:00:00 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity that can be assumed by a Kubernetes pod and then used to interact with the Chainguard API.

Prerequisites

To complete this guide, you will need the following.

Getting Started with OpenVEX and vexctl

Mon, 30 Jan 2023 15:21:01 +0200

The vexctl CLI is a tool to make VEX work. As part of the open source OpenVex project, vexctl enables you to create, apply, and attest VEX (Vulnerability Exploitability eXchange) data in order to filter out false positive security alerts.

The vexctl tool was built to help with the creation and management of VEX documents, communicate transparently to users as time progresses, and enable the “turning off” of security scanner alerts of vulnerabilities known not to affect a given product. Using VEX, software authors can communicate to their users that an otherwise vulnerable component has no security implications for their product.

Using the Chainguard API to Manage Custom Assembly Resources

Thu, 01 May 2025 11:07:52 +0200

Chainguard’s Custom Assembly is a tool that allows customers to create customized containers with extra packages added. This enables customers to reduce their risk exposure by creating container images that are tailored to their internal organization and application requirements while still having few-to-zero CVEs.

You can use the Chainguard API to further customize your Custom Assembly builds and retrieve information about them. This tutorial highlights a demo application (which can be found in Chainguard Academy’s Demo Applications repository) which, when run, updates a Custom Assembly container’s configuration based on a provided YAML file.

Mirror new Containers to Google Artifact Registry with Chainguard CloudEvents

Fri, 24 May 2024 15:22:20 +0100

Certain interactions with Chainguard resources will emit CloudEvents that you or an application can subscribe to. This allows you to do things like receive alerts when a user downloads one or more of your organization’s private container images or when a new image gets added to your organization’s registry.

This tutorial is meant to serve as a companion to the Image Copy GCP example application. It will guide you through setting up infrastructure to listen for push events on an organization’s private registry and mirror any new Chainguard Containers in the registry to a repository in a GCP Artifact Registry repository.

Create an Assumable Identity for a Buildkite Pipeline

Wed, 17 May 2023 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This tutorial outlines how to create an identity using Terraform, and then how to update a Buildkite pipeline so that it can assume the identity and interact with Chainguard resources.

Prerequisites

To complete this guide, you must have the following in place:

How To Integrate Ping Identity SSO with Chainguard

Mon, 17 Apr 2023 08:48:45 +0000

This guide outlines how to create a Ping Identity Application and integrate it with Chainguard. After completing this guide, you’ll be able to log in to Chainguard using Ping and will no longer be limited to the default SSO options.

Adding Custom Certificates with Custom Assembly

Thu, 12 Mar 2026 11:07:52 +0200

Many enterprise environments use internal certificate authorities (CAs) to issue certificates for internal services. These custom certificates need to be trusted by containers that communicate with the internal services. Custom Assembly allows you to build custom certificates directly into your container images, ensuring they trust your organization’s internal services without requiring manual certificate mounting at runtime.

Note: If you are looking for a way to embed certificates at build time, refer to our guide on How To Use incert to Create Container Images with Built-in Custom Certificates.

How To Integrate Keycloak with Chainguard

Fri, 04 Apr 2025 00:00:00 +0000

By default, the Chainguard platform supports Single sign-on (SSO) authentication for users with GitHub, GitLab, and Google.

This guide outlines how to create a Keycloak Client on your existing Keycloak instance and integrate it with Chainguard. After completing this guide, you’ll be able to log in to Chainguard using Keycloak and will no longer be limited to the default SSO options.

Prerequisites

To complete this guide, you will need the following:

Create an Assumable Identity for a Bitbucket Pipeline

Wed, 17 May 2023 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity using Terraform, and then how to update a Bitbucket pipeline so that it can assume the identity and interact with Chainguard resources.

Prerequisites

To complete this guide, you will need the following.

How To Integrate Microsoft Entra ID SSO with Chainguard

Mon, 17 Apr 2023 08:48:45 +0000

This guide outlines how to create a Microsoft Entra ID (formerly Azure Active Directory) application and integrate it with Chainguard. After completing this guide, you’ll be able to log in to Chainguard using Entra ID and will no longer be limited to the default SSO options.

Use chainctl to Create an Assumable Identity for a Jenkins Pipeline

Sun, 07 Sep 2025 08:48:45 +0000

Jenkins is an open source automation server that supports building, deploying, and automating projects.

This guide explains how to use chainctl to create an assumable identity and configure Jenkins to use that identity to authenticate to Chainguard. To accomplish this, create an OIDC token credential in Jenkins and a matching Chainguard identity that uses the Jenkins OIDC URL, then put the process into an example Jenkins build pipeline.

To do this using Terraform, follow the instructions in Use Terraform to Create an Assumable Identity for a Jenkins Pipeline.

Chainguard API v2 Tutorial

Mon, 30 Mar 2026 08:49:31 +0000

Note: The Chainguard API v2 is in beta.

The v2 API introduces cursor-based pagination, server-side ordering, consistent resource patterns, and structured error responses across all endpoints.

This guide walks through the v2 API using real curl commands.

Note: The example output in this guide was captured from a development environment. Your organization’s resource names, UIDs, timestamps, and counts will differ. The response structure and field names are the same across all environments.

Use Terraform to Create an Assumable Identity for a Jenkins Pipeline

Sun, 07 Sep 2025 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity using Terraform, and then how to update a Jenkins pipeline so that it can assume the identity and interact with Chainguard resources. If you would like to follow this guide using chainctl, Chainguard’s command line tool, you can review Use chainctl to Create an Assumable Identity for a Jenkins Pipeline.

Create an Assumable Identity for a CLI session authenticated with Keycloak

Tue, 26 Mar 2024 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity using Terraform, and then assume the identity with the CLI to interact with Chainguard resources.

Prerequisites

To complete this guide, you will need the following.

Can anybody build Chainguard Containers themselves?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: But everything is open source—can anybody build the images themselves?

Authenticating with the Chainguard SDK

Wed, 04 Jun 2025 08:49:31 +0000

There are several ways for users to interact with the Chainguard platform, with chainctl (Chainguard’s command-line tool) and the Chainguard Console (Chainguard’s web interface) being the two most commonly-used methods. However, both of these require a human user to authenticate, and aren’t useful for working with Chainguard resources programmatically.

The Chainguard SDK serves to ease programmatic integration with the Chainguard platform. This guide highlights two examples from the SDK repository that show how to authenticate to the Chainguard registry using the chainguard.dev/sdk/auth and chainguard.dev/sdk/auth/ggcr packages. The first has you authenticate as a local user, while the second has you authenticate as an assumed identity.

Example Policies

Fri, 15 Jul 2022 15:22:20 +0100

The Sigstore Policy Controller allows users to create their own security policies that they can be enforced on Kubernetes clusters. Here are a few example policies to help you get started.

You may also review the Sigstore Policy Controller documentation. In particular, we encourage you to review the Policy Controller documentation relating to the Admission of images to learn how to admit images through the cluster image policy.

Policy enforcing signed containers

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
name: signed-keyless
spec:
images:
# All images
- glob: "**"
authorities:
- keyless:
url: https://fulcio.sigstore.dev
ctlog:
url: https://rekor.sigstore.dev

Example using Chainguard Containers from Chainguard’s registry:

Getting Started with melange

Thu, 21 Jul 2022 15:21:01 +0200

melange is an apk builder tool that uses declarative pipelines to create apk packages. From a single YAML file, users are able to generate multi-architecture apks that can be injected directly into apko builds.

Understanding melange can help you better understand the Wolfi operating system and how Chainguard Containers are made to be minimal and secure, but it is not necessary to have a background in melange in order to use Chainguard Containers.

In this guide, you’ll learn how to build a software package with melange. To demonstrate the versatile combination of melange and apko builds, we’ll package a small command-line PHP script and build a minimalist container image based on Wolfi with the generated apk. All files used in this demo are open source and available at the melange-php-demos repository.

Getting Started with apko

Wed, 06 Jul 2022 08:49:31 +0000

apko is a command-line tool to build container images using a declarative language based on YAML. apko is so named as it uses the apk package format and is inspired by the ko build tool. It is part of the open source tooling Chainguard developed to create the Wolfi operating system which is used in Chainguard Containers.

Why apko

Container images are typically assembled in multiple steps. A tool like Docker, for example, combines building steps (as in, running commands to copy files, build and deploy applications) and composition (as in, composing a base image with pre-built packages) in a single piece of software. apko, on the other hand, is solely a composition tool that focuses on producing lightweight, “flat” base images that are fully reproducible and contain auto generated SBOM files for every successful build.

Using Init Containers with Chainguard Containers

Mon, 04 Aug 2025 15:21:01 +0000

Chainguard Containers are designed with minimalism and security in mind. By including fewer packages and tools, Chainguard Containers have a smaller attack surface than their counterparts. However, there are cases where the external counterparts have certain desirable features, like useful startup scripts or configuration defaults.

There are several ways to customize Chainguard Containers. For example, you can use Custom Assembly to add packages to an otherwise minimal Chainguard container image. Changing a Chainguard container image’s configuration — such as updating its entrypoint or adding startup scripts — requires a different strategy. One method for doing so in Kubernetes deployments is to use init containers.

Building a Wolfi Package

Mon, 21 Aug 2023 08:49:31 +0000

Wolfi is a Linux distro created specifically for building stripped-down container images that only include the essential packages needed to run applications in containers. This makes it more secure, as there are fewer potential attack vectors due to the reduced surface area.

Thanks to a fine-tuned maintenance process combining top-notch automation and established best practices from maintainers, Wolfi packages are updated quickly. This ensures that Wolfi users get patches and latest versions of packages at a much faster pace than other distributions. Additionally, Wolfi includes a number of features that help to ensure the provenance and authenticity of packages. For example, all packages are built directly from source and signed with cryptographic signatures. This helps to prevent malicious code from being introduced into the system. Wolfi also provides a high-quality build-time SBOM as standard for all packages.

Creating Wolfi Images with Dockerfiles

Mon, 19 Dec 2022 08:49:31 +0000

Introduction

Wolfi is a minimal open source Linux distribution created specifically for cloud workloads, with an emphasis on software supply chain security. Using apk for package management, Wolfi differs from Alpine in a few important aspects, most notably the use of glibc instead of musl and the fact that Wolfi doesn’t have a kernel as it is intended to be used with a container runtime. This minimal footprint makes Wolfi an ideal base for both distroless images and fully-featured builder images.

How to Keyless Sign a Container Image with Sigstore

Wed, 24 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the lab in chapter 5 of the Linux Foundation Sigstore course.

This tutorial will bring some of the components of Sigstore together in an example project. In this demonstration, we’ll be using GitHub Actions to perform keyless signing on a sample container. In this example, we’ll use a Django container that displays a generic “Hello, World” style landing page. Django is a Python web framework.

How to Generate a Fulcio Certificate

Fri, 19 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Fulcio chapter of the Linux Foundation Sigstore course.

In this tutorial, we are going to create and examine a Fulcio certificate to demonstrate how Fulcio can work in practice. To follow along, you will need Cosign installed on your local system. If you haven’t installed Cosign yet, you can follow the instructions described in How to Install Cosign, or you can follow one of the installation methods described in the official documentation.

How to Inspect and Verify Fulcio Certificates

Fri, 19 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Fulcio chapter of the Linux Foundation Sigstore course.

To inspect a certificate generated by Fulcio, we will first decode it with the base64 command line tool, which is used for encoding and decoding binary to text. Base64 is widely used on the world wide web for binary-to-text encoding. You can check whether the tool is installed by checking whether base64 --help will run. If not, install Base64 with the package manager of your choice, such as apt or Homebrew for macOS.

Bazel Rules for apko

Mon, 23 Oct 2023 08:49:31 +0000

rules_apko is an open source plugin for Bazel that makes it possible to build secure, minimal Wolfi-based container images using the Bazel build system. It wraps the apko tool for use under Bazel, providing hermetic, reproducible image builds with full Bazel caching support.

By the end of this guide you will have a working Bazel project that builds a minimal Wolfi-based container image using rules_apko.

How to build a container with Bazel using `rules_apko`

This page covers rules_apko version 1.5.37 with Bazel 9.0.1 using Bzlmod, which is the only supported dependency management method in Bazel 9. If you are on an earlier version of Bazel, you should upgrade to Bazel 9 before following this guide.

Procedural on

How to Install Sigstore Policy Controller

Prerequisites

How to Install the Rekor CLI

How to Install Cosign

How to Query Rekor

How to Sign a Container with Cosign

How to Sign and Upload Metadata to Rekor

How to Sign Blobs and Standard Files with Cosign

How to Set Up An Instance of Rekor Instance Locally

How to Sign an SBOM with Cosign

Disallowing Non-Default Capabilities

Prerequisites

Disallowing Privileged Pods

Prerequisites

Disallowing Run as Root User

Prerequisites

Maximum Container Image Age

Prerequisites

Disallowing Unsafe sysctls

Prerequisites

Verify Signed Chainguard Containers

Prerequisites

How to Verify File Signatures with Cosign

Using chainctl to Manage Custom Assembly Resources

Subscribing to Chainguard CloudEvents

How to Pull Packages from Chainguard Package Repositories through Artifactory

Create an Assumable Identity for a GitLab CI/CD Pipeline

Prerequisites

Create Role-bindings for a GitHub Team Using Terraform

How To Integrate Okta SSO with Chainguard

Rego Policies

How to Manage Chainguard IAM Organizations

Logging in

Create an Assumable Identity to Authenticate from Azure

Using GitOps to Manage Custom Assembly Resources

Create an Assumable Identity for a Kubernetes Pod

Prerequisites

Getting Started with OpenVEX and vexctl

Using the Chainguard API to Manage Custom Assembly Resources

Mirror new Containers to Google Artifact Registry with Chainguard CloudEvents

Create an Assumable Identity for a Buildkite Pipeline

Prerequisites

How To Integrate Ping Identity SSO with Chainguard

Adding Custom Certificates with Custom Assembly

How To Integrate Keycloak with Chainguard

Prerequisites

Create an Assumable Identity for a Bitbucket Pipeline

Prerequisites

How To Integrate Microsoft Entra ID SSO with Chainguard

Use chainctl to Create an Assumable Identity for a Jenkins Pipeline

Chainguard API v2 Tutorial

Use Terraform to Create an Assumable Identity for a Jenkins Pipeline

Create an Assumable Identity for a CLI session authenticated with Keycloak

Prerequisites

Can anybody build Chainguard Containers themselves?

Transcript

Authenticating with the Chainguard SDK

Example Policies

Policy enforcing signed containers

Getting Started with melange

Getting Started with apko

Why apko

Using Init Containers with Chainguard Containers

Building a Wolfi Package

Creating Wolfi Images with Dockerfiles

Introduction

How to Keyless Sign a Container Image with Sigstore

How to Generate a Fulcio Certificate

How to Inspect and Verify Fulcio Certificates

Bazel Rules for apko

How to build a container with Bazel using rules_apko

How to build a container with Bazel using `rules_apko`