►
From YouTube: Demo - Image signing and verification with GitLab+Flux
A
Hello
Victor
tonight
the
product
manager
of
gitlab
speaking
here.
This
is
one
more
very
short
video
of
the
demo
projects
how
I
expanded
a
little
bit.
These
are
demo
projects
that
are
public.
Now
you
can
check
out
the
code
yourself,
but
now,
let's
focus
on
what
we
have
today:
I
added,
actually
image
signing
and
attestation
checking
site
signature
checking
into
the
delivery
project.
Let
me
quickly
walk
through
how
that
happens,
but
before
that,
let's
take
a
look
at
what
it
means.
A
So,
let's
see
how
we
do
that
some
things
happen
in
GitHub
CI,
where
we
are
building
the
oci
artifacts
and
the
ham
charts
to
be
deployed
to
the
cluster
and
the
other
things
happens
in
the
cluster.
First
of
all,
we
have
a
dedicated
image
to.
A
A
And
what
we
do
is
that
in
the
flux
oci
job,
we
create
the
image
with
flux,
push
artifact,
and
then
we
extract
the
digest
URL
of
the
that
image
in
a
single
code
actually,
and
we
log
into
cosine
and
sign
the
image
now
login
happens
with
the
ID
token
the
oidc
support
in
gitlab
CI.
So
you
don't
have
to
store
any
Longleaf
tokens,
Within
gitlab
and
once
the
image
is
signed,
we
can
actually.
A
Go
and
tell
flux:
this
is
a
flux,
ham
release,
as
you
can
see,
and
you
can
say
it
to
check
the
provider
of
this
hem
chart
using
cosine
with
a
specified
secret
key,
and
similarly
we
can
tell
to
the
related
oci
Repository
to
check
the
image
with
cosine
in
the
cluster.
We
have
everything
running
as
you
can
see.
First
of
all,
I'm
using
let's
go
back
one
more
minute
here
here
you
can
see
that
I'm
using
a
cosine
key
prefix
with
kubernetes.
A
This
means
that
this
key
exists
in
the
cluster.
There
is
a
dedicated
cosine
command,
generate
secret
key
if
I
remember
well
to
generate
the
secret
private
public
key
pair
and
the
password,
and
you
can
store
it
immediately
in
your
cluster
as
well,
and
that's
why
we
actually
need
to
run
Cube
CT
out
here
as
well,
in
order
to
select
the
right
cluster,
after
which
cosine
will
be
able
to
access
that
cluster
using
the
selected
context
and
everything
nicely
fits
together.
So
first,
let's
see
the
secret
it's
there.
This
is
cosine
key.
A
It
has
three
keys,
doesn't
really
matter.
We
only
need
the
pub
key
for
checking
the
signature
and,
of
course,
the
password
and
the
private
key
for
signing
itself,
and
then,
let's
see
how
it
looks
like
that,
it's
really
there.
We
have
this
OCR
repositories
that
I
showed
you
before
that
are
meant
to
be
signed.