Kubernetes Secrets

Cosign can use keys stored in Kubernetes Secrets to sign and verify signatures. In order to generate a secret, pass a k8s://[NAMESPACE]/[NAME] URI specifying the namespace and secret name to cosign generate-key-pair as follows.

cosign generate-key-pair k8s://default/testsecret
Enter password for private key: ****
Enter again: ****
Successfully created secret testsecret in namespace default
Public key written to cosign.pub

After generating the key pair, Cosign will store it in a Kubernetes secret using your current context. The secret will contain the private and public keys, as well as the password to decrypt the private key.

The secret has the following structure:

apiVersion: v1
kind: Secret
  name: testsecret
  namespace: default
type: Opaque
  cosign.password: YWJjMTIz
  cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQo[...]==

When verifying an image signature using cosign verify, the key will be automatically decrypted using the password stored in the Kubernetes secret under the cosign.password field.

Edit this page on GitHub Updated at Thu, Feb 2, 2023