Feature/lab8

[ostxxp]

Goal

Implement container image signing, verification, and attestation using Cosign to ensure integrity and provenance of artifacts.

Changes

• Set up local Docker registry and pushed Juice Shop image
• Generated Cosign key pair and signed image by digest
• Verified image signature using public key
• Simulated image tampering and demonstrated signature invalidation
• Created and verified SLSA provenance attestation
• Generated SBOM (CycloneDX) and verified attestation
• Signed and verified arbitrary artifact (tar.gz blob)
• Collected all outputs and logs in labs/lab8

Testing

• Verified signed image using cosign verify (successful)
• Replaced image with tampered version, and verification failed as expected
• Verified provenance attestation using cosign verify-attestation
• Verified SBOM attestation
• Verified blob signature using cosign verify-blob
• All commands were executed locally and produced the expected results

Artifacts & Screenshots

• analysis/ref.txt, analysis/ref-after-tamper.txt — image digest references
• analysis/verify.json — image signature verification result
• attest/provenance.json, attest/verify-provenance.txt — provenance attestation
• attest/juice-shop.cdx.json, attest/verify-sbom-attestation.txt — SBOM attestation
• artifacts/sample.tar.gz.bundle, artifacts/verify-blob.txt — blob signing and verification

Checklist

• Clear and descriptive title
• Documentation updated if needed
• No secrets or temporary files included