Skip to content

docs: add lab8 submission — signing + attestations#9

Open
ph1larmon1a wants to merge 1 commit intomainfrom
feature/lab8
Open

docs: add lab8 submission — signing + attestations#9
ph1larmon1a wants to merge 1 commit intomainfrom
feature/lab8

Conversation

@ph1larmon1a
Copy link
Owner

@ph1larmon1a ph1larmon1a commented Oct 31, 2025

Goal

Add supply-chain security enhancements to the project by introducing container image signing, SBOM and SLSA provenance attestations, and non-container artifact signing workflows using Cosign. This PR aligns the project with modern software integrity best practices and helps ensure artifacts can be verified against tampering.

Changes

  • Added Cosign key generation and secure handling instructions
  • Signed container image by immutable digest
  • Added CycloneDX SBOM attestation to the image
  • Added SLSA provenance attestation with builder metadata and timestamp
  • Implemented tamper detection demonstration (tag overwritten, signature fails)
  • Verified image signatures and attestations against local registry
  • Generated and verified signed blob (sample.tar.gz) using Cosign bundle
  • Added documentation to submission8.md detailing:
    • Difference between signatures and attestations
    • How digest-based signing prevents tampering
    • Purpose of SBOMs and provenance
    • Use cases for blob signing

Testing

Manual testing performed as part of Lab workflow:

  • Image signed and verified using public key
  • Tampered image correctly failed verification
  • SBOM attestation created and successfully verified
  • Provenance attestation created and successfully verified
  • Blob signature verified successfully with Verified OK
  • Attestation payload inspected and decoded

Steps to reproduce are documented in the lab scripts.

Artifacts & Screenshots

  • Original digest ref: localhost:5001/juice-shop@sha256:872efcc0...
  • After tamper digest: localhost:5001/juice-shop@sha256:4d27946a...
  • Verification logs located in labs/lab8/attest/ & labs/lab8/artifacts/
  • SBOM & provenance examples stored in repo
  • Decoded attestation: verify-provenance-decoded.json
  • Documentation: submission8.md

Checklist

  • PR has a clear and descriptive title
  • Documentation updated if needed
  • No secrets or large temporary files committed
  • Task 1 — Local registry, signing, verification (+ tamper demo)
  • Task 2 — Attestations (SBOM or provenance) + payload inspection
  • Task 3 — Artifact signing (blob/tarball)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ph1larmon1a