1 - Edit the Dockerfile commit and push (the push will trigger the build, we will use the results in demo 2)
2 - Create container image
IMAGE=ghcr.io/albasystems/hello-slsa:manual
docker build -t $IMAGE .3 - Run the container
docker run $IMAGE4 - Push the image
docker push $IMAGE5 - Update the image name with the image's digest : We need this because we want to sign an immutable image.
IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE)
echo $IMAGE6 - Sign the image
cosign sign $IMAGE7 - Verify the signature
cosign verify $IMAGE --certificate-identity [email protected] --certificate-oidc-issuer "https://github.com/login/oauth" | jq .8 - Check the rekor entry, go to https://rekor.tlog.dev/?logIndex=$log_index
log_index=$(cosign verify $IMAGE --certificate-identity [email protected] --certificate-oidc-issuer "https://github.com/login/oauth" -o json | jq '.[-1].optional.Bundle.Payload.logIndex')``
echo $log_indexor
rekor-cli get --format json --log-index $logIndex | jq .