keyless image signing with Sigstore (Cosign/Rekor/GH action/GHCR)

I am trying to duplicate the steps in https://edu.chainguard.dev/open-source/sigstore/how-to-keyless-sign-a-container-with-sigstore/

GitHub action sample

name: Publish and Sign Container Image

on:
  schedule:
    - cron: '32 11 * * *'
  push:
    branches: [ main ]
    # Publish semver tags as releases.
    tags: [ 'v*.*.*' ]
  pull_request:
    branches: [ main ]

jobs:
  build:

    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Install cosign
        uses: sigstore/cosign-installer@v3.2.0
          
      - name: Check install!
        run: cosign version
        
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v2

      - name: Log into ghcr.io
        uses: docker/login-action@master
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push container image
        id: push-step
        uses: docker/build-push-action@master
        with:
          push: true
          tags: ghcr.io/${{ github.repository }}:latest

      - name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.push-step.outputs.digest }}
          TAGS: ghcr.io/${{ github.repository }}
          COSIGN_EXPERIMENTAL: "true"
        run: cosign sign --yes "${TAGS}@${DIGEST}"

      - name: Verify the images
        run: |
          cosign verify ghcr.io/whoissqr/cg-test-keyless-sign \
             --certificate-identity https://github.com/whoissqr/cg-test-keyless-sign/.github/workflows/main.yml@refs/heads/main \
             --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq

It works.

and, we could see the signing steps

and verified successfully!

Now let’s try to verify the image from command line in VS Code; VS Code Codespace is actually running Ubuntu 20, so let’s figure out how to install cosign/Rekor there.

##-1 download go archive
wget https://go.dev/dl/go1.22.0.linux-386.tar.gz
tar xvf go1.22.0.linux-386.tar.gz

##-2 add Go binary path to PATH
export PATH=/home/codespace/tools/go-installer/go/bin:$PATH
export GOPATH=$(go env GOPATH)
export GOROOT=
sudo apt-get install gcc-multilib

##-3 install Rekor cli
go install -v github.com/sigstore/rekor/cmd/rekor-cli@latest
rekor-cli version

## verify
rekor-cli verify --rekor_server https://rekor.sigstore.dev --log-index xxx
rekor-cli get --rekor_server https://rekor.sigstore.dev --log-index xxx

## install cosign go package
go install github.com/sigstore/cosign/cmd/cosign@latest
COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/whoissqr/cg-test-keyless-sign

we can then verify the image before deploying it