| # ============================================================================= | |
| # Container Image Signing — Cosign + Keyless (Fulcio) | |
| # ============================================================================= | |
| set -euo pipefail | |
| IMAGE="${1:?Usage: $0 <image>}" | |
| COSIGN_EXPERIMENTAL=1 | |
| echo "=== Signing ${IMAGE} ===" | |
| # Sign with keyless mode (OIDC identity) | |
| cosign sign \ | |
| --yes \ | |
| "${IMAGE}" | |
| # Verify signature | |
| echo "Verifying signature..." | |
| cosign verify \ | |
| "${IMAGE}" | |
| # Attach SBOM | |
| echo "Attaching SBOM..." | |
| cosign attach sbom \ | |
| --sbom ./scan-reports/sbom.spdx.json \ | |
| "${IMAGE}" | |
| # Sign SBOM attestation | |
| cosign attest \ | |
| --yes \ | |
| --predicate ./scan-reports/sbom.spdx.json \ | |
| --type spdxjson \ | |
| "${IMAGE}" | |
| echo "=== Image signed and SBOM attached ===" | |