@@ -214,7 +214,49 @@ available plugins are:
214214
215215!!! info " About cosign"
216216
217- _coming soon_
217+ The ` cosign` is a tool for signing and verifying container images as part of the
218+ [sigstore][10] project.The ` cosign` can be used to sign the ` ` container
219+ image. The ` cosign` can be [installed][11] via:
220+
221+ ` ` ` bash
222+ # install cosign for macOS and Linux
223+ brew install cosign
224+ # install cosign via go
225+ go install github.com/sigstore/cosign/v2/cmd/cosign@latest
226+ ` ` `
227+
228+ To verify the SpectraFit container image, SpectraFit' s public key is required and
229+ can be found under: https://github.com/Anselmoo/spectrafit/blob/main/cosign.pub.
230+ You can save the public key to a file named cosign.pub:
231+
232+ ```bash
233+ cat cosign.pub
234+ -----BEGIN PUBLIC KEY-----
235+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/6fPQhwVsFvcfGtSFBIwdHbTxkF3
236+ KaNOdpXBpmyrM/y1TM5YgTYl5mVq7km/LPukbXslcrVX1dT5H+FUP6+onQ==
237+ -----END PUBLIC KEY-----
238+ ```
239+ Then, cosign can be used to verify the SpectraFit container image:
240+
241+ ```bash
242+ cosign verify --key cosign.pub ghcr.io/anselmoo/spectrafit:latest
243+
244+ # or export to json
245+ cosign verify --key cosign.pub ghcr.io/anselmoo/spectrafit:latest > cosign_verify.json
246+ ```
247+
248+ and the output can be saved to a file named `cosign_verify.json`.
249+
250+ ```bash
251+ cat cosign_verify.json
252+ [
253+ {
254+ "critical": {
255+ "identity": {
256+ "docker-reference": "ghcr.io/anselmoo/spectrafit"
257+ },
258+ ...
259+ ```
218260
219261[1]: https://github.com/pypa/pipx
220262[2]: https://conda.io/docs/
@@ -226,3 +268,5 @@ available plugins are:
226268[7]: https://github.com/conda-forge/spectrafit-feedstock
227269[8]: https://python-poetry.org/docs/
228270[9]: https://github.com/Anselmoo/spectrafit/
271+ [10]: https://www.sigstore.dev
272+ [11]: https://docs.sigstore.dev/system_config/installation/
0 commit comments