You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+27Lines changed: 27 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,6 +34,7 @@ This aligns directly with NHS ongoing work to strengthen the security posture of
34
34
-[Prerequisites](#prerequisites)
35
35
-[GitHub App setup](#github-app-setup)
36
36
-[Bot setup for commit signing](#bot-setup-for-commit-signing)
37
+
-[Container image signing with Cosign](#container-image-signing-with-cosign)
37
38
-[Design decisions and rationale](#design-decisions-and-rationale)
38
39
-[🧩 Why use a GitHub App Token instead of a Personal Access Token (PAT)](#-why-use-a-github-app-token-instead-of-a-personal-access-token-pat)
39
40
-[🔐 Why the signing key belongs to a bot, not the App](#-why-the-signing-key-belongs-to-a-bot-not-the-app)
@@ -103,6 +104,9 @@ Repository secrets provide the credentials and cryptographic materials required
103
104
-`GH_VERSIONING_APP_PRIVATE_KEY` - the GitHub App's private key used to create short-lived auth tokens
104
105
-`GIT_SIGNING_BOT_GPG_PRIVATE_KEY` - private signing key of your release bot
105
106
-`GIT_SIGNING_BOT_GPG_PASSPHRASE` - the key passphrase
107
+
-`COSIGN_PUBLIC_KEY`
108
+
-`COSIGN_PRIVATE_KEY`
109
+
-`COSIGN_PASSWORD`
106
110
107
111
All of the above variables and secrets have an organisation-wide equivalent managed centrally by the NHS GitHub Admins. These defaults are automatically available to all repositories, ensuring consistent configuration, simplified onboarding, and alignment with NHS engineering and security standards.
108
112
@@ -191,6 +195,29 @@ Steps:
191
195
192
196
After that, all commits made by the workflow will appear as _"Verified ✅"_ on GitHub.
193
197
198
+
### Container image signing with Cosign
199
+
200
+
In addition to commit signing, this repository also demonstrates how to sign and verify container images using Sigstore Cosign. Cosign provides cryptographic assurance that every published image originates from a trusted workflow and has not been altered after build. Each image pushed to the GitHub Container Registry (GHCR) is automatically signed as part of the release workflow. This produces tamper-evident OCI artefacts stored alongside the image, allowing anyone to independently verify its provenance. There are the following benefits:
201
+
202
+
- End-to-end provenance, extends the trusted chain of custody from commit to container
203
+
- Tamper evidence, every signature includes cryptographic metadata that cannot be forged or moved between images
204
+
- Transparency, the signature is also recorded in the public Sigstore Rekor transparency log for immutable auditability
205
+
- Alignment with NHS Secure by Design, strengthens cyber resilience by ensuring only verified and trusted artefacts reach production
206
+
207
+
To verify a signed image:
208
+
209
+
```bash
210
+
cosign verify --key cosign.pub ghcr.io/{{ repository }}:{{ version }}
211
+
```
212
+
213
+
The output confirms that:
214
+
215
+
- the signature matches the published public key,
216
+
- the digest corresponds to the exact build produced by the workflow, and
217
+
- the signature is recorded in the transparency log if enabled.
218
+
219
+
This ensures that every deployment can be proven authentic and traceable, a core requirement for secure software supply-chain assurance within NHS.
220
+
194
221
## Design decisions and rationale
195
222
196
223
These explanations are meant to help you and me to understand _why_ each part of this setup exists, so none of us has to guess later.
0 commit comments