13.5. 使用带有 quay 的 cosign
如果您有 Go 1.16+,您可以使用以下命令直接安装 cosign:
$ go install github.com/sigstore/cosign/cmd/cosign@v1.0.0 go: downloading github.com/sigstore/cosign v1.0.0 go: downloading github.com/peterbourgon/ff/v3 v3.1.0 ...
接下来,生成密钥对:
$ cosign generate-key-pair Enter password for private key: Enter again: Private key written to cosign.key Public key written to cosign.pub
使用以下命令为密钥对签名:
$ cosign sign -key cosign.key quay-server.example.com/user1/busybox:test Enter password for private key: Pushing signature to: quay-server.example.com/user1/busybox:sha256-ff13b8f6f289b92ec2913fa57c5dd0a874c3a7f8f149aabee50e3d01546473e3.sig
有些用户可能会遇到以下错误:
error: signing quay-server.example.com/user1/busybox:test: getting remote image: GET https://quay-server.example.com/v2/user1/busybox/manifests/test: UNAUTHORIZED: access to the requested resource is not authorized; map[]
由于 cosign 依赖于 ~/.docker/config.json 进行授权,因此您可能需要执行以下命令:
$ podman login --authfile ~/.docker/config.json quay-server.example.com Username: Password: Login Succeeded!
您可以使用以下命令查看更新的授权配置:
$ cat ~/.docker/config.json { "auths": { "quay-server.example.com": { "auth": "cXVheWFkbWluOnBhc3N3b3Jk" } }