\u064a\u062c\u0628 \u062a\u0648\u0642\u064a\u0639 \u0643\u0644 \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u064a\u0646\u062a\u062c\u0647\u0627 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0628\u0634\u0643\u0644 \u062a\u0634\u0641\u064a\u0631\u064a \u0642\u0628\u0644 \u0623\u0646 \u062a\u0635\u0644 \u0625\u0644\u0649 \u0623\u064a \u0628\u064a\u0626\u0629. \u0627\u0644\u0635\u0648\u0631 \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u0642\u0639\u0629 \u062a\u0645\u062b\u0644 \u0646\u0642\u0637\u0629 \u0639\u0645\u064a\u0627\u0621 \u2014 \u0644\u064a\u0633 \u0644\u062f\u064a\u0643 \u062f\u0644\u064a\u0644 \u0639\u0644\u0649 \u0623\u0646\u0647\u0627 \u062c\u0627\u0621\u062a \u0645\u0646 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643\u060c \u0648\u0644\u0627 \u0636\u0645\u0627\u0646 \u0628\u0623\u0646\u0647\u0627 \u0644\u0645 \u064a\u062a\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0647\u0627 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0646\u0642\u0644\u060c \u0648\u0644\u0627 \u0622\u0644\u064a\u0629 \u0633\u064a\u0627\u0633\u0629 \u0644\u0645\u0646\u0639 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u0631\u062d \u0628\u0647\u0627.<\/p>\n
\u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u0639\u0645\u0644 \u0627\u0644\u0639\u0645\u0644\u064a \u0633\u062a\u0642\u0648\u0645 \u0628\u0640:<\/p>\n
\u0628\u0646\u0647\u0627\u064a\u0629 \u0647\u0630\u0627 \u0627\u0644\u0645\u0639\u0645\u0644 \u0633\u064a\u0643\u0648\u0646 \u0644\u062f\u064a\u0643 \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0643\u0627\u0645\u0644 \u064a\u0628\u0646\u064a \u0648\u064a\u062f\u0641\u0639 \u0648\u064a\u0648\u0642\u0639 \u0648\u064a\u0634\u0647\u062f \u0643\u0644 \u0635\u0648\u0631\u0629 \u2014 \u0648\u0633\u064a\u0627\u0633\u0629 Kubernetes \u062a\u0631\u0641\u0636 \u0623\u064a \u0634\u064a\u0621 \u063a\u064a\u0631 \u0645\u0648\u0642\u0639.<\/p>\n
\u0642\u0628\u0644 \u0627\u0644\u0628\u062f\u0621\u060c \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u0648\u0641\u0631 \u0645\u0627 \u064a\u0644\u064a:<\/p>\n
# macOS (Homebrew)\nbrew install cosign\n\n# Or install from source with Go\ngo install github.com\/sigstore\/cosign\/v2\/cmd\/cosign@latest\n\n# Verify installation\ncosign version<\/code><\/pre>\n\n- kubectl<\/strong> \u0648 Helm<\/strong> \u0645\u062b\u0628\u062a\u0627\u0646 (\u0644\u062a\u0645\u0631\u064a\u0646 Kyverno).<\/li>\n
- Syft<\/strong> \u0645\u062b\u0628\u062a (\u0644\u062a\u0645\u0631\u064a\u0646 SBOM):<\/li>\n<\/ul>\n
brew install syft<\/code><\/pre>\n\u0633\u062a\u062d\u062a\u0627\u062c \u0623\u064a\u0636\u0627\u064b \u0625\u0644\u0649 \u062a\u0637\u0628\u064a\u0642 \u0628\u0633\u064a\u0637 \u0644\u0648\u0636\u0639\u0647 \u0641\u064a \u062d\u0627\u0648\u064a\u0629. \u0625\u0644\u064a\u0643 \u062a\u0637\u0628\u064a\u0642 Go \u0628\u0633\u064a\u0637 \u0648\u0645\u0644\u0641 Dockerfile \u0627\u0644\u062e\u0627\u0635 \u0628\u0647 \u0627\u0644\u0630\u064a \u0633\u0646\u0633\u062a\u062e\u062f\u0645\u0647 \u0637\u0648\u0627\u0644 \u0627\u0644\u0645\u0639\u0645\u0644.<\/p>\n
main.go<\/strong><\/p>\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net\/http\"\n)\n\nfunc main() {\n\thttp.HandleFunc(\"\/\", func(w http.ResponseWriter, r *http.Request) {\n\t\tfmt.Fprintf(w, \"Hello from a signed container!\")\n\t})\n\thttp.ListenAndServe(\":8080\", nil)\n}<\/code><\/pre>\nDockerfile<\/strong><\/p>\nFROM golang:1.22-alpine AS builder\nWORKDIR \/app\nCOPY main.go .\nRUN go build -o server main.go\n\nFROM alpine:3.19\nCOPY --from=builder \/app\/server \/server\nEXPOSE 8080\nENTRYPOINT [\"\/server\"]<\/code><\/pre>\n\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u064a\u0626\u0629<\/h2>\n
\u0627\u0628\u062f\u0623 \u0628\u0625\u0646\u0634\u0627\u0621 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u062e\u062a\u0628\u0627\u0631 \u0648\u062f\u0641\u0639 \u0643\u0648\u062f \u0627\u0644\u062a\u0637\u0628\u064a\u0642.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639<\/h3>\n# Create a new directory and initialize a Git repo\nmkdir cosign-lab && cd cosign-lab\ngit init\n\n# Create the Go application and Dockerfile from the prerequisites above\n# Then push to GitHub\ngit add .\ngit commit -m \"Initial commit: simple Go app\"\ngh repo create cosign-lab --public --source=. --push<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0628\u062f\u0648\u0646 \u062a\u0648\u0642\u064a\u0639<\/h3>\n
\u0642\u0628\u0644 \u0625\u0636\u0627\u0641\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u060c \u0623\u0646\u0634\u0626 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0623\u0633\u0627\u0633\u064a \u064a\u0642\u0648\u0645 \u0641\u0642\u0637 \u0628\u0628\u0646\u0627\u0621 \u0648\u062f\u0641\u0639 \u0627\u0644\u0635\u0648\u0631\u0629. \u0647\u0630\u0627 \u064a\u0639\u0637\u064a\u0643 \u0634\u064a\u0626\u0627\u064b \u0644\u0644\u0645\u0642\u0627\u0631\u0646\u0629 \u0644\u0627\u062d\u0642\u0627\u064b.<\/p>\n
\u0623\u0646\u0634\u0626 .github\/workflows\/build.yml<\/code>:<\/p>\nname: Build and Push (Unsigned)\n\non:\n push:\n tags:\n - 'v*'\n\nenv:\n REGISTRY: ghcr.io\n IMAGE_NAME: ${{ github.repository }}\n\njobs:\n build:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n packages: write\n\n steps:\n - name: Checkout code\n uses: actions\/checkout@v4\n\n - name: Log in to GHCR\n uses: docker\/login-action@v3\n with:\n registry: ${{ env.REGISTRY }}\n username: ${{ github.actor }}\n password: ${{ secrets.GITHUB_TOKEN }}\n\n - name: Extract metadata\n id: meta\n uses: docker\/metadata-action@v5\n with:\n images: ${{ env.REGISTRY }}\/${{ env.IMAGE_NAME }}\n\n - name: Build and push\n uses: docker\/build-push-action@v5\n with:\n context: .\n push: true\n tags: ${{ steps.meta.outputs.tags }}\n labels: ${{ steps.meta.outputs.labels }}<\/code><\/pre>\n\u0642\u0645 \u0628\u0639\u0645\u0644 commit \u0648\u062f\u0641\u0639 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0647\u0630\u0627. \u0623\u0646\u0634\u0626 \u0648\u0633\u0645 \u0625\u0635\u062f\u0627\u0631 \u0644\u062a\u0634\u063a\u064a\u0644\u0647:<\/p>\n
git add .\ngit commit -m \"Add unsigned build workflow\"\ngit push origin main\ngit tag v0.1.0\ngit push origin v0.1.0<\/code><\/pre>\n\u0628\u0645\u062c\u0631\u062f \u0627\u0643\u062a\u0645\u0627\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644\u060c \u0633\u062a\u0643\u0648\u0646 \u0635\u0648\u0631\u062a\u0643 \u0641\u064a GHCR \u2014 \u0644\u0643\u0646\u0647\u0627 \u0644\u0627 \u062a\u062d\u0645\u0644 \u0623\u064a \u062a\u0648\u0642\u064a\u0639 \u062a\u0634\u0641\u064a\u0631\u064a. \u064a\u0645\u0643\u0646 \u0644\u0623\u064a \u0634\u062e\u0635 \u0644\u062f\u064a\u0647 \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0643\u062a\u0627\u0628\u0629 \u0639\u0644\u0649 \u0627\u0644\u0633\u062c\u0644 \u0627\u0633\u062a\u0628\u062f\u0627\u0644\u0647\u0627\u060c \u0648\u0644\u0646 \u064a\u0644\u0627\u062d\u0638 \u0623\u064a \u0634\u064a\u0621 \u0641\u064a \u0627\u0644\u0645\u0631\u0627\u062d\u0644 \u0627\u0644\u0644\u0627\u062d\u0642\u0629.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 1: \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0645\u062d\u0644\u064a \u0628\u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d<\/h2>\n
\u0642\u0628\u0644 \u0627\u0644\u0627\u0646\u062a\u0642\u0627\u0644 \u0625\u0644\u0649 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0641\u064a CI\u060c \u0645\u0646 \u0627\u0644\u0645\u0641\u064a\u062f \u0641\u0647\u0645 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0627\u062a \u0645\u0646 \u062e\u0644\u0627\u0644 \u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631\u0629 \u0645\u062d\u0644\u064a\u0627\u064b \u0628\u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d \u0635\u0631\u064a\u062d.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d Cosign<\/h3>\ncosign generate-key-pair<\/code><\/pre>\n\u064a\u0646\u0634\u0626 \u0647\u0630\u0627 \u0645\u0644\u0641\u064a\u0646 \u0641\u064a \u062f\u0644\u064a\u0644\u0643 \u0627\u0644\u062d\u0627\u0644\u064a:<\/p>\n
\ncosign.key<\/code> \u2014 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635 (\u0645\u0634\u0641\u0631 \u0628\u0639\u0628\u0627\u0631\u0629 \u0645\u0631\u0648\u0631 \u062a\u062e\u062a\u0627\u0631\u0647\u0627).<\/li>\ncosign.pub<\/code> \u2014 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u0639\u0627\u0645 \u0627\u0644\u0630\u064a \u062a\u0648\u0632\u0639\u0647 \u0639\u0644\u0649 \u0627\u0644\u0645\u062a\u062d\u0642\u0642\u064a\u0646.<\/li>\n<\/ul>\n\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0628\u0646\u0627\u0621 \u0648\u062f\u0641\u0639 \u0648\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631\u0629<\/h3>\n# Build the image\ndocker build -t ghcr.io\/<your-username>\/cosign-lab:v1 .\n\n# Push to GHCR\ndocker push ghcr.io\/<your-username>\/cosign-lab:v1\n\n# Sign the image with your private key\ncosign sign --key cosign.key ghcr.io\/<your-username>\/cosign-lab:v1<\/code><\/pre>\n\u0627\u0633\u062a\u0628\u062f\u0644 <your-username><\/code> \u0628\u0627\u0633\u0645 \u0645\u0633\u062a\u062e\u062f\u0645 GitHub \u0627\u0644\u062e\u0627\u0635 \u0628\u0643. \u0633\u064a\u0637\u0644\u0628 Cosign \u0639\u0628\u0627\u0631\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0627\u0644\u062a\u064a \u062d\u062f\u062f\u062a\u0647\u0627 \u0623\u062b\u0646\u0627\u0621 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0645\u0641\u062a\u0627\u062d.<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639<\/h3>\ncosign verify --key cosign.pub ghcr.io\/<your-username>\/cosign-lab:v1<\/code><\/pre>\n\u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 \u0645\u062e\u0631\u062c\u0627\u062a \u0645\u0634\u0627\u0628\u0647\u0629 \u0644\u0640:<\/p>\n
Verification for ghcr.io\/<your-username>\/cosign-lab:v1 --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - The signatures were verified against the specified public key\n\n[{\"critical\":{\"identity\":{\"docker-reference\":\"ghcr.io\/<your-username>\/cosign-lab\"},\"image\":{\"docker-manifest-digest\":\"sha256:abc123...\"},\"type\":\"cosign container image signature\"},\"optional\":null}]<\/code><\/pre>\n\u0623\u064a\u0646 \u064a\u062a\u0645 \u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u061f<\/h3>\n
\u064a\u062e\u0632\u0646 Cosign \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0643\u0642\u0637\u0639 OCI \u0641\u064a \u0646\u0641\u0633 \u0627\u0644\u0633\u062c\u0644\u060c \u0628\u062c\u0627\u0646\u0628 \u0627\u0644\u0635\u0648\u0631\u0629. \u0644\u0635\u0648\u0631\u0629 \u0645\u0648\u0633\u0648\u0645\u0629 \u0628\u0640 sha256:abc123<\/code>\u060c \u064a\u062f\u0641\u0639 Cosign \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0625\u0644\u0649 \u0648\u0633\u0645 \u0645\u0634\u062a\u0642 \u0645\u0646 \u0630\u0644\u0643 \u0627\u0644\u0645\u0644\u062e\u0635 \u2014 sha256-abc123.sig<\/code>. \u0647\u0630\u0627 \u064a\u0639\u0646\u064a:<\/p>\n\n- \u0644\u0627 \u062d\u0627\u062c\u0629 \u0644\u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629 \u0645\u0646\u0641\u0635\u0644\u0629 \u0644\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a.<\/li>\n
- \u062a\u0646\u062a\u0642\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0645\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0639\u0646\u062f \u0646\u0633\u062e \u0623\u0648 \u062a\u0643\u0631\u0627\u0631 \u0627\u0644\u0633\u062c\u0644\u0627\u062a.<\/li>\n
- \u062a\u0646\u0637\u0628\u0642 \u0636\u0648\u0627\u0628\u0637 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0633\u062c\u0644 \u0639\u0644\u0649 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0628\u0646\u0641\u0633 \u0627\u0644\u0637\u0631\u064a\u0642\u0629 \u0627\u0644\u062a\u064a \u062a\u0646\u0637\u0628\u0642 \u0628\u0647\u0627 \u0639\u0644\u0649 \u0627\u0644\u0635\u0648\u0631.<\/li>\n<\/ul>\n
\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d \u064a\u0639\u0645\u0644\u060c \u0644\u0643\u0646\u0647 \u064a\u0641\u0631\u0636 \u0639\u0628\u0621 \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d: \u064a\u062c\u0628 \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635 \u0648\u062a\u062f\u0648\u064a\u0631\u0647 \u062f\u0648\u0631\u064a\u0627\u064b \u0648\u062a\u0648\u0632\u064a\u0639 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u0639\u0627\u0645 \u0639\u0644\u0649 \u0643\u0644 \u0645\u062a\u062d\u0642\u0642. \u0641\u064a \u0627\u0644\u062a\u0645\u0631\u064a\u0646 \u0627\u0644\u062a\u0627\u0644\u064a\u060c \u0633\u0646\u0632\u064a\u0644 \u0647\u0630\u0627 \u0627\u0644\u0639\u0628\u0621 \u062a\u0645\u0627\u0645\u0627\u064b \u0645\u0639 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2: \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0641\u064a GitHub Actions<\/h2>\n
\u064a\u0632\u064a\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u0625\u0646\u0634\u0627\u0621 \u0623\u0648 \u062a\u062e\u0632\u064a\u0646 \u0623\u0648 \u062a\u062f\u0648\u064a\u0631 \u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u062a\u0648\u0642\u064a\u0639. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643\u060c \u064a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 \u0634\u0647\u0627\u062f\u0627\u062a \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0635\u0627\u062f\u0631\u0629 \u0639\u0646 Fulcio<\/strong> \u0648\u0645\u0633\u062c\u0644\u0629 \u0641\u064a \u0633\u062c\u0644 \u0627\u0644\u0634\u0641\u0627\u0641\u064a\u0629 Rekor<\/strong>.<\/p>\n\u0643\u064a\u0641 \u064a\u0639\u0645\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d<\/h3>\n\n- \u0631\u0645\u0632 OIDC<\/strong> \u2014 \u064a\u0635\u062f\u0631 GitHub Actions \u0631\u0645\u0632 \u0647\u0648\u064a\u0629 OIDC \u064a\u062b\u0628\u062a \u0647\u0648\u064a\u0629 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 (\u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u060c \u0645\u0644\u0641 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644\u060c \u0627\u0644\u0645\u0631\u062c\u0639\u060c \u0648\u0627\u0644\u0645\u0632\u064a\u062f).<\/li>\n
- \u0634\u0647\u0627\u062f\u0629 Fulcio<\/strong> \u2014 \u064a\u0631\u0633\u0644 Cosign \u0631\u0645\u0632 OIDC \u0647\u0630\u0627 \u0625\u0644\u0649 Fulcio\u060c \u0627\u0644\u0630\u064a \u064a\u0635\u062f\u0631 \u0634\u0647\u0627\u062f\u0629 \u062a\u0648\u0642\u064a\u0639 X.509 \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0645\u0631\u062a\u0628\u0637\u0629 \u0628\u0647\u0648\u064a\u0629 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644.<\/li>\n
- \u0627\u0644\u062a\u0648\u0642\u064a\u0639<\/strong> \u2014 \u064a\u0648\u0642\u0639 Cosign \u0645\u0644\u062e\u0635 \u0627\u0644\u0635\u0648\u0631\u0629 \u0628\u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635 \u0627\u0644\u0645\u0624\u0642\u062a \u0627\u0644\u0645\u0642\u0627\u0628\u0644 \u0644\u0634\u0647\u0627\u062f\u0629 Fulcio.<\/li>\n
- \u0633\u062c\u0644 \u0634\u0641\u0627\u0641\u064a\u0629 Rekor<\/strong> \u2014 \u064a\u062a\u0645 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0648\u0627\u0644\u0634\u0647\u0627\u062f\u0629 \u0641\u064a Rekor \u062d\u062a\u0649 \u064a\u062a\u0645\u0643\u0646 \u0623\u064a \u0634\u062e\u0635 \u0645\u0646 \u0645\u0631\u0627\u062c\u0639\u0629 \u0645\u062a\u0649 \u0648\u0645\u0646 \u0642\u0627\u0645 \u0628\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631\u0629.<\/li>\n
- \u0627\u0644\u062a\u062e\u0644\u0635 \u0645\u0646 \u0627\u0644\u0645\u0641\u062a\u0627\u062d<\/strong> \u2014 \u064a\u062a\u0645 \u0627\u0644\u062a\u062e\u0644\u0635 \u0645\u0646 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635 \u0627\u0644\u0645\u0624\u0642\u062a \u0641\u0648\u0631\u0627\u064b. \u064a\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u062a\u062d\u0642\u0642 \u0627\u0644\u0634\u0647\u0627\u062f\u0629 \u0648\u0625\u062f\u062e\u0627\u0644 Rekor\u060c \u0648\u0644\u064a\u0633 \u0645\u0641\u062a\u0627\u062d\u0627\u064b \u0639\u0627\u0645\u0627\u064b \u0637\u0648\u064a\u0644 \u0627\u0644\u0639\u0645\u0631.<\/li>\n<\/ol>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639<\/h3>\n
\u0623\u0646\u0634\u0626 .github\/workflows\/sign.yml<\/code>:<\/p>\nname: Build, Push, and Sign\n\non:\n push:\n tags:\n - 'v*'\n\nenv:\n REGISTRY: ghcr.io\n IMAGE_NAME: ${{ github.repository }}\n\njobs:\n build-and-sign:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n packages: write\n id-token: write # Required for keyless signing via OIDC\n\n steps:\n - name: Checkout code\n uses: actions\/checkout@v4\n\n - name: Install Cosign\n uses: sigstore\/cosign-installer@v3\n\n - name: Log in to GHCR\n uses: docker\/login-action@v3\n with:\n registry: ${{ env.REGISTRY }}\n username: ${{ github.actor }}\n password: ${{ secrets.GITHUB_TOKEN }}\n\n - name: Extract metadata\n id: meta\n uses: docker\/metadata-action@v5\n with:\n images: ${{ env.REGISTRY }}\/${{ env.IMAGE_NAME }}\n\n - name: Build and push\n id: build\n uses: docker\/build-push-action@v5\n with:\n context: .\n push: true\n tags: ${{ steps.meta.outputs.tags }}\n labels: ${{ steps.meta.outputs.labels }}\n\n - name: Sign the image\n run: |\n cosign sign --yes \\\n ${{ env.REGISTRY }}\/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}<\/code><\/pre>\n\u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629 \u0641\u064a \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0647\u0630\u0627<\/h3>\n\nid-token: write<\/code> \u2014 \u0647\u0630\u0627 \u0627\u0644\u0625\u0630\u0646 \u064a\u0633\u0645\u062d \u0644\u0644\u0645\u0634\u063a\u0644 \u0628\u0637\u0644\u0628 \u0631\u0645\u0632 OIDC \u0645\u0646 GitHub\u060c \u0627\u0644\u0630\u064a \u064a\u0633\u062a\u062e\u062f\u0645\u0647 Fulcio \u0644\u0625\u0635\u062f\u0627\u0631 \u0634\u0647\u0627\u062f\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639.<\/li>\npackages: write<\/code> \u2014 \u0645\u0637\u0644\u0648\u0628 \u0644\u062f\u0641\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0648\u062a\u0648\u0642\u064a\u0639\u0647\u0627 \u0625\u0644\u0649 GHCR.<\/li>\ncosign sign --yes<\/code> \u2014 \u0639\u0644\u0645 --yes<\/code> \u064a\u0624\u0643\u062f \u0627\u0644\u0648\u0636\u0639 \u063a\u064a\u0631 \u0627\u0644\u062a\u0641\u0627\u0639\u0644\u064a (\u0628\u062f\u0648\u0646 \u0637\u0644\u0628 \u0645\u0648\u0627\u0641\u0642\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d). \u0639\u062f\u0645 \u0648\u062c\u0648\u062f \u0639\u0644\u0645 --key<\/code> \u064a\u0639\u0646\u064a \u0623\u0646 Cosign \u064a\u0633\u062a\u062e\u062f\u0645 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d.<\/li>\n- \u0646\u0648\u0642\u0639 \u0628\u0627\u0644\u0645\u0644\u062e\u0635 (
@sha256:...<\/code>) \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0648\u0633\u0645 \u0644\u0636\u0645\u0627\u0646 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0646\u0641\u0633\u0647\u0627 \u0627\u0644\u062a\u064a \u0628\u0646\u064a\u0646\u0627\u0647\u0627 \u0644\u0644\u062a\u0648.<\/li>\n<\/ul>\n\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0627\u0644\u062f\u0641\u0639 \u0648\u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644<\/h3>\ngit add .github\/workflows\/sign.yml\ngit commit -m \"Add keyless signing workflow\"\ngit push origin main\ngit tag v1.0.0\ngit push origin v1.0.0<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0645\u0631\u0627\u062c\u0639\u0629 \u0633\u062c\u0644\u0627\u062a Actions<\/h3>\n
\u0641\u064a \u062e\u0637\u0648\u0629 “Sign the image” \u0633\u062a\u0631\u0649 \u0645\u062e\u0631\u062c\u0627\u062a \u0645\u0634\u0627\u0628\u0647\u0629 \u0644\u0640:<\/p>\n
Generating ephemeral keys...\nRetrieving signed certificate...\n\n The sigstore community wants to hear from you! Connect with us at\n https:\/\/links.sigstore.dev\/slack-invite\n\nSuccessfully verified SCT...\ntlog entry created with index: 45678901\nPushing signature to: ghcr.io\/<your-username>\/cosign-lab:sha256-a1b2c3d4.sig<\/code><\/pre>\n\u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0622\u0646 \u0645\u0648\u0642\u0639\u0629 \u0628\u0634\u0647\u0627\u062f\u0629 \u062a\u0631\u0628\u0637\u0647\u0627 \u062a\u0634\u0641\u064a\u0631\u064a\u0627\u064b \u0628\u0647\u0648\u064a\u0629 \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0627\u0644\u062e\u0627\u0635 \u0628\u0643. \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0648\u0627\u0644\u0634\u0647\u0627\u062f\u0629 \u0645\u0633\u062c\u0644\u0627\u0646 \u0628\u0634\u0643\u0644 \u062f\u0627\u0626\u0645 \u0641\u064a \u0633\u062c\u0644 \u0634\u0641\u0627\u0641\u064a\u0629 Rekor.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 3: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0645\u062d\u0644\u064a\u0627\u064b<\/h2>\n
\u064a\u062a\u0637\u0644\u0628 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0635\u0648\u0631\u0629 \u0645\u0648\u0642\u0639\u0629 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0645\u0639\u0644\u0648\u0645\u062a\u064a\u0646: \u0647\u0648\u064a\u0629 \u0627\u0644\u0634\u0647\u0627\u062f\u0629<\/strong> (\u0645\u0646 \u0648\u0642\u0639) \u0648 \u0645\u064f\u0635\u062f\u0631 OIDC<\/strong> (\u0645\u0646 \u0636\u0645\u0646 \u062a\u0644\u0643 \u0627\u0644\u0647\u0648\u064a\u0629).<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0645\u0648\u0642\u0639\u0629<\/h3>\ncosign verify \\\n --certificate-identity \"https:\/\/github.com\/<your-username>\/cosign-lab\/.github\/workflows\/sign.yml@refs\/tags\/v1.0.0\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/<your-username>\/cosign-lab:v1.0.0<\/code><\/pre>\n\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0646\u0627\u062c\u062d\u0629:<\/p>\n
Verification for ghcr.io\/<your-username>\/cosign-lab:v1.0.0 --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - Existence of the claims in the transparency log was verified offline\n - The code-signing certificate was verified using trusted certificate authority\n - The signatures were verified against the specified public key\n - The signature was verified against a valid Fulcio certificate\n\n[{\"critical\":{\"identity\":{\"docker-reference\":\"ghcr.io\/<your-username>\/cosign-lab\"},\"image\":{\"docker-manifest-digest\":\"sha256:a1b2c3d4...\"},\"type\":\"cosign container image signature\"},\"optional\":{...}}]<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0627\u0644\u062a\u062d\u0642\u0642 \u0628\u0647\u0648\u064a\u0629 \u063a\u064a\u0631 \u0635\u062d\u064a\u062d\u0629 (\u062a\u0648\u0642\u0639 \u0627\u0644\u0641\u0634\u0644)<\/h3>\ncosign verify \\\n --certificate-identity \"https:\/\/github.com\/attacker\/malicious-repo\/.github\/workflows\/build.yml@refs\/tags\/v1.0.0\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/<your-username>\/cosign-lab:v1.0.0<\/code><\/pre>\n\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a:<\/p>\n
Error: no matching signatures:\nnone of the expected identities matched what was in the certificate<\/code><\/pre>\n\u0647\u0630\u0627 \u064a\u0624\u0643\u062f \u0623\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0645\u0631\u062a\u0628\u0637\u0629 \u0628\u0627\u0644\u0647\u0648\u064a\u0629. \u062d\u062a\u0649 \u0644\u0648 \u062a\u0645\u0643\u0646 \u0634\u062e\u0635 \u0645\u0627 \u0645\u0646 \u062f\u0641\u0639 \u062a\u0648\u0642\u064a\u0639\u060c \u0641\u0644\u0646 \u064a\u062c\u062a\u0627\u0632 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0627 \u0644\u0645 \u064a\u0643\u0646 \u0645\u0648\u0642\u0639\u0627\u064b \u0645\u0646 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u062d\u062f\u062f \u0627\u0644\u0630\u064a \u062a\u062d\u062f\u062f\u0647.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0635\u0648\u0631\u0629 \u063a\u064a\u0631 \u0645\u0648\u0642\u0639\u0629 (\u062a\u0648\u0642\u0639 \u0627\u0644\u0641\u0634\u0644)<\/h3>\ncosign verify \\\n --certificate-identity \"https:\/\/github.com\/<your-username>\/cosign-lab\/.github\/workflows\/sign.yml@refs\/tags\/v0.1.0\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/<your-username>\/cosign-lab:v0.1.0<\/code><\/pre>\n\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a:<\/p>\n
Error: no matching signatures\nno signatures found for image<\/code><\/pre>\n\u0635\u0648\u0631\u0629 v0.1.0 \u062a\u0645 \u0628\u0646\u0627\u0624\u0647\u0627 \u0628\u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u0642\u0639 \u0645\u0646 \u0642\u0633\u0645 \u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u064a\u0626\u0629\u060c \u0644\u0630\u0644\u0643 \u0644\u0627 \u064a\u0648\u062c\u062f \u062a\u0648\u0642\u064a\u0639.<\/p>\n
\u0641\u0647\u0645 \u062d\u0642\u0648\u0644 \u0627\u0644\u0634\u0647\u0627\u062f\u0629<\/h3>\n
\u0639\u0646\u062f \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d\u060c \u064a\u0641\u062d\u0635 Cosign \u0639\u062f\u0629 \u062d\u0642\u0648\u0644 \u0645\u0636\u0645\u0646\u0629 \u0641\u064a \u0634\u0647\u0627\u062f\u0629 Fulcio:<\/p>\n
\n- \u0627\u0644\u0645\u064f\u0635\u062f\u0631<\/strong> (
certificate-oidc-issuer<\/code>) \u2014 \u0645\u0632\u0648\u062f OIDC \u0627\u0644\u0630\u064a \u0635\u0627\u062f\u0642 \u0639\u0644\u0649 \u0627\u0644\u0645\u0648\u0642\u0650\u0651\u0639. \u0628\u0627\u0644\u0646\u0633\u0628\u0629 \u0644\u0640 GitHub Actions \u0647\u0630\u0627 \u062f\u0627\u0626\u0645\u0627\u064b https:\/\/token.actions.githubusercontent.com<\/code>.<\/li>\n- \u0627\u0644\u0645\u0648\u0636\u0648\u0639 \/ \u0627\u0644\u0647\u0648\u064a\u0629<\/strong> (
certificate-identity<\/code>) \u2014 \u0645\u0631\u062c\u0639 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0643\u0627\u0645\u0644 \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0645\u0633\u0627\u0631 \u0645\u0644\u0641 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0648\u0645\u0631\u062c\u0639 Git. \u0647\u0630\u0627 \u064a\u0631\u0628\u0637 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u0633\u064a\u0631 \u0639\u0645\u0644 \u0645\u062d\u062f\u062f \u0639\u0646\u062f commit \u0623\u0648 \u0648\u0633\u0645 \u0645\u062d\u062f\u062f.<\/li>\n- \u0627\u0645\u062a\u062f\u0627\u062f\u0627\u062a GitHub Workflow<\/strong> \u2014 \u062a\u062d\u062a\u0648\u064a \u0627\u0644\u0634\u0647\u0627\u062f\u0629 \u0623\u064a\u0636\u0627\u064b \u0639\u0644\u0649 \u0627\u0645\u062a\u062f\u0627\u062f\u0627\u062a OID \u0645\u062e\u0635\u0635\u0629 \u0644\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648 SHA \u0644\u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0648\u062d\u062f\u062b \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0648\u0628\u064a\u0626\u0629 \u0627\u0644\u0645\u0634\u063a\u0644. \u062a\u0633\u0645\u062d \u0647\u0630\u0647 \u0628\u0633\u064a\u0627\u0633\u0627\u062a \u062a\u062d\u0642\u0642 \u062f\u0642\u064a\u0642\u0629.<\/li>\n<\/ul>\n
\u064a\u0645\u0643\u0646\u0643 \u0623\u064a\u0636\u0627\u064b \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u0637\u0627\u0628\u0642\u0629 regex \u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0623\u0643\u062b\u0631 \u0645\u0631\u0648\u0646\u0629:<\/p>\n
cosign verify \\\n --certificate-identity-regexp \"https:\/\/github.com\/<your-username>\/cosign-lab\/.*\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/<your-username>\/cosign-lab:v1.0.0<\/code><\/pre>\n\u0647\u0630\u0627 \u0645\u0641\u064a\u062f \u0639\u0646\u062f\u0645\u0627 \u062a\u0631\u064a\u062f \u0642\u0628\u0648\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0645\u0646 \u0623\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 \u0641\u064a \u0645\u0633\u062a\u0648\u062f\u0639\u060c \u0623\u0648 \u0645\u0646 \u0623\u064a \u0648\u0633\u0645.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4: \u0627\u0644\u062a\u062d\u0642\u0642 \u0641\u064a Kubernetes \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Kyverno<\/h2>\n
\u0627\u0644\u062a\u062d\u0642\u0642 \u0627\u0644\u0645\u062d\u0644\u064a \u0645\u0641\u064a\u062f \u0644\u062a\u0635\u062d\u064a\u062d \u0627\u0644\u0623\u062e\u0637\u0627\u0621\u060c \u0644\u0643\u0646 \u0645\u062c\u0645\u0648\u0639\u0627\u062a \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0641\u0631\u0636 \u0622\u0644\u064a. Kyverno \u0647\u0648 \u0648\u062d\u062f\u0629 \u062a\u062d\u0643\u0645 \u0642\u0628\u0648\u0644 \u0641\u064a Kubernetes \u064a\u0645\u0643\u0646\u0647\u0627 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0648\u0642\u064a\u0639\u0627\u062a Cosign \u0639\u0644\u0649 \u0643\u0644 \u0637\u0644\u0628 \u0642\u0628\u0648\u0644 pod.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u062a\u062b\u0628\u064a\u062a Kyverno<\/h3>\nhelm repo add kyverno https:\/\/kyverno.github.io\/kyverno\/\nhelm repo update\nhelm install kyverno kyverno\/kyverno -n kyverno --create-namespace<\/code><\/pre>\n\u0627\u0646\u062a\u0638\u0631 \u062d\u062a\u0649 \u062a\u0635\u0628\u062d pods \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 Kyverno \u062c\u0627\u0647\u0632\u0629:<\/p>\n
kubectl wait --for=condition=ready pod -l app.kubernetes.io\/instance=kyverno -n kyverno --timeout=120s<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0625\u0646\u0634\u0627\u0621 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0635\u0648\u0631<\/h3>\n
\u0627\u062d\u0641\u0638 \u0645\u0627 \u064a\u0644\u064a \u0628\u0627\u0633\u0645 require-signed-images.yml<\/code>:<\/p>\napiVersion: kyverno.io\/v1\nkind: ClusterPolicy\nmetadata:\n name: require-cosign-signature\nspec:\n validationFailureAction: Enforce\n background: false\n rules:\n - name: verify-cosign-signature\n match:\n any:\n - resources:\n kinds:\n - Pod\n verifyImages:\n - imageReferences:\n - \"ghcr.io\/<your-username>\/cosign-lab:*\"\n attestors:\n - entries:\n - keyless:\n subject: \"https:\/\/github.com\/<your-username>\/cosign-lab\/.github\/workflows\/sign.yml@refs\/tags\/*\"\n issuer: \"https:\/\/token.actions.githubusercontent.com\"\n rekor:\n url: \"https:\/\/rekor.sigstore.dev\"<\/code><\/pre>\n\u0637\u0628\u0642 \u0627\u0644\u0633\u064a\u0627\u0633\u0629:<\/p>\n
kubectl apply -f require-signed-images.yml<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0627\u062e\u062a\u0628\u0627\u0631 \u0628\u0635\u0648\u0631\u0629 \u0645\u0648\u0642\u0639\u0629 (\u064a\u062c\u0628 \u0623\u0646 \u064a\u0646\u062c\u062d)<\/h3>\nkubectl run signed-app \\\n --image=ghcr.io\/<your-username>\/cosign-lab:v1.0.0 \\\n --restart=Never<\/code><\/pre>\n\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n
pod\/signed-app created<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 4 \u2014 \u0627\u062e\u062a\u0628\u0627\u0631 \u0628\u0635\u0648\u0631\u0629 \u063a\u064a\u0631 \u0645\u0648\u0642\u0639\u0629 (\u064a\u062c\u0628 \u0623\u0646 \u064a\u0641\u0634\u0644)<\/h3>\nkubectl run unsigned-app \\\n --image=ghcr.io\/<your-username>\/cosign-lab:v0.1.0 \\\n --restart=Never<\/code><\/pre>\n\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n
Error from server: admission webhook \"mutate.kyverno.svc-fail\" denied the request:\nresource Pod\/default\/unsigned-app was blocked due to the following policies:\n\nrequire-cosign-signature:\n verify-cosign-signature: |\n image verification failed for ghcr.io\/<your-username>\/cosign-lab:v0.1.0:\n no matching signatures found<\/code><\/pre>\n\u0647\u0630\u0627 \u0647\u0648 \u0628\u0627\u0644\u0636\u0628\u0637 \u062d\u0644\u0642\u0629 \u0627\u0644\u0641\u0631\u0636 \u0627\u0644\u062a\u064a \u062a\u0631\u064a\u062f\u0647\u0627: \u0641\u0642\u0637 \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0645\u0648\u0642\u0639\u0629 \u0645\u0646 \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0627\u0644\u0645\u0648\u062b\u0648\u0642 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u064a\u064f\u0633\u0645\u062d \u0644\u0647\u0627 \u0628\u0627\u0644\u062f\u062e\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0629.<\/p>\n
\u0627\u0644\u062a\u0645\u0631\u064a\u0646 5: \u0625\u0631\u0641\u0627\u0642 SBOM<\/h2>\n
\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u064a\u062b\u0628\u062a \u0645\u0646 \u0628\u0646\u0649 \u0627\u0644\u0635\u0648\u0631\u0629. \u0634\u0647\u0627\u062f\u0629 SBOM \u062a\u062b\u0628\u062a \u0645\u0627 \u0628\u062f\u0627\u062e\u0644\u0647\u0627. \u0627\u0644\u062c\u0645\u0639 \u0628\u064a\u0646\u0647\u0645\u0627 \u064a\u0645\u0646\u062d\u0643 \u0633\u0644\u0633\u0644\u0629 \u062b\u0642\u0629 \u0643\u0627\u0645\u0644\u0629: \u0627\u0644\u0647\u0648\u064a\u0629 \u0648\u0627\u0644\u0646\u0632\u0627\u0647\u0629 \u0648\u0634\u0641\u0627\u0641\u064a\u0629 \u0627\u0644\u0645\u062d\u062a\u0648\u0649.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1 \u2014 \u0625\u0646\u0634\u0627\u0621 SBOM \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Syft<\/h3>\nsyft ghcr.io\/<your-username>\/cosign-lab:v1.0.0 -o spdx-json > sbom.spdx.json<\/code><\/pre>\n\u064a\u0642\u0648\u0645 \u0647\u0630\u0627 \u0628\u0645\u0633\u062d \u0637\u0628\u0642\u0627\u062a \u0627\u0644\u0635\u0648\u0631\u0629 \u0648\u0625\u0646\u062a\u0627\u062c \u0645\u0633\u062a\u0646\u062f JSON \u0628\u062a\u0646\u0633\u064a\u0642 SPDX \u064a\u0633\u0631\u062f \u0643\u0644 \u062d\u0632\u0645\u0629 \u0648\u0645\u0643\u062a\u0628\u0629 \u0648\u062a\u0628\u0639\u064a\u0629 \u062f\u0627\u062e\u0644 \u0627\u0644\u0635\u0648\u0631\u0629.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 2 \u2014 \u0625\u0631\u0641\u0627\u0642 SBOM \u0643\u0634\u0647\u0627\u062f\u0629<\/h3>\ncosign attest \\\n --predicate sbom.spdx.json \\\n --type spdxjson \\\n --yes \\\n ghcr.io\/<your-username>\/cosign-lab:v1.0.0<\/code><\/pre>\n\u0645\u062b\u0644 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d\u060c \u064a\u0633\u062a\u062e\u062f\u0645 \u0647\u0630\u0627 \u0627\u0644\u0647\u0648\u064a\u0629 \u0627\u0644\u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 OIDC \u0639\u0646\u062f \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0641\u064a GitHub Actions \u0623\u0648 \u064a\u0637\u0644\u0628 \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u0627\u0644\u062a\u0641\u0627\u0639\u0644\u064a\u0629 \u0639\u0646\u062f \u0627\u0644\u062a\u0634\u063a\u064a\u0644 \u0645\u062d\u0644\u064a\u0627\u064b. \u064a\u062a\u0645 \u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0634\u0647\u0627\u062f\u0629 \u0643\u0642\u0637\u0639\u0629 OCI \u0628\u062c\u0627\u0646\u0628 \u0627\u0644\u0635\u0648\u0631\u0629.<\/p>\n
\u0627\u0644\u062e\u0637\u0648\u0629 3 \u2014 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0634\u0647\u0627\u062f\u0629<\/h3>\ncosign verify-attestation \\\n --type spdxjson \\\n --certificate-identity \"https:\/\/github.com\/<your-username>\/cosign-lab\/.github\/workflows\/sign.yml@refs\/tags\/v1.0.0\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ghcr.io\/<your-username>\/cosign-lab:v1.0.0<\/code><\/pre>\n\u0627\u0644\u062a\u062d\u0642\u0642 \u0627\u0644\u0646\u0627\u062c\u062d \u064a\u0624\u0643\u062f \u0623\u0646 SBOM \u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647 \u0648\u0625\u0631\u0641\u0627\u0642\u0647 \u0628\u0648\u0627\u0633\u0637\u0629 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u0648\u062b\u0648\u0642 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643\u060c \u0648\u0623\u0646\u0647 \u0644\u0645 \u064a\u062a\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0647 \u0645\u0646\u0630 \u0630\u0644\u0643 \u0627\u0644\u062d\u064a\u0646.<\/p>\n
\u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0643\u0627\u0645\u0644<\/h2>\n
\u0625\u0644\u064a\u0643 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0646\u0647\u0627\u0626\u064a \u0627\u0644\u0630\u064a \u064a\u062c\u0645\u0639 \u0643\u0644 \u0634\u064a\u0621: \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u062f\u0641\u0639 \u0648\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0648\u0625\u0646\u0634\u0627\u0621 SBOM \u0648\u062a\u0648\u062b\u064a\u0642\u0647. \u0627\u062d\u0641\u0638 \u0647\u0630\u0627 \u0628\u0627\u0633\u0645 .github\/workflows\/sign-and-attest.yml<\/code>:<\/p>\nname: Build, Sign, and Attest\n\non:\n push:\n tags:\n - 'v*'\n\nenv:\n REGISTRY: ghcr.io\n IMAGE_NAME: ${{ github.repository }}\n\njobs:\n build-sign-attest:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n packages: write\n id-token: write\n\n steps:\n - name: Checkout code\n uses: actions\/checkout@v4\n\n - name: Install Cosign\n uses: sigstore\/cosign-installer@v3\n\n - name: Install Syft\n uses: anchore\/sbom-action\/download-syft@v0\n\n - name: Log in to GHCR\n uses: docker\/login-action@v3\n with:\n registry: ${{ env.REGISTRY }}\n username: ${{ github.actor }}\n password: ${{ secrets.GITHUB_TOKEN }}\n\n - name: Extract metadata\n id: meta\n uses: docker\/metadata-action@v5\n with:\n images: ${{ env.REGISTRY }}\/${{ env.IMAGE_NAME }}\n\n - name: Build and push\n id: build\n uses: docker\/build-push-action@v5\n with:\n context: .\n push: true\n tags: ${{ steps.meta.outputs.tags }}\n labels: ${{ steps.meta.outputs.labels }}\n\n - name: Sign the image\n run: |\n cosign sign --yes \\\n ${{ env.REGISTRY }}\/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}\n\n - name: Generate SBOM\n run: |\n syft ${{ env.REGISTRY }}\/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \\\n -o spdx-json > sbom.spdx.json\n\n - name: Attest SBOM\n run: |\n cosign attest --yes \\\n --predicate sbom.spdx.json \\\n --type spdxjson \\\n ${{ env.REGISTRY }}\/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}\n\n - name: Verify signature\n run: |\n cosign verify \\\n --certificate-identity-regexp \"https:\/\/github.com\/${{ github.repository }}\/.*\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ${{ env.REGISTRY }}\/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}\n\n - name: Verify SBOM attestation\n run: |\n cosign verify-attestation \\\n --type spdxjson \\\n --certificate-identity-regexp \"https:\/\/github.com\/${{ github.repository }}\/.*\" \\\n --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n ${{ env.REGISTRY }}\/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}<\/code><\/pre>\n\u064a\u0645\u0646\u062d\u0643 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0647\u0630\u0627 \u0633\u0644\u0633\u0644\u0629 \u062b\u0642\u0629 \u0643\u0627\u0645\u0644\u0629 \u0644\u0643\u0644 \u0625\u0635\u062f\u0627\u0631 \u0645\u0648\u0633\u0648\u0645: \u0627\u0644\u0635\u0648\u0631\u0629 \u0645\u0648\u0642\u0639\u0629\u060c \u0648\u0645\u062d\u062a\u0648\u064a\u0627\u062a\u0647\u0627 \u0645\u0648\u062b\u0642\u0629 \u0641\u064a SBOM\u060c \u0648 SBOM \u0645\u0634\u0647\u0648\u062f \u0639\u0644\u064a\u0647 \u062a\u0634\u0641\u064a\u0631\u064a\u0627\u064b \u2014 \u0643\u0644 \u0630\u0644\u0643 \u0628\u062f\u0648\u0646 \u0625\u062f\u0627\u0631\u0629 \u0645\u0641\u062a\u0627\u062d \u0648\u0627\u062d\u062f \u0637\u0648\u064a\u0644 \u0627\u0644\u0639\u0645\u0631.<\/p>\n
\u0627\u0644\u062a\u0646\u0638\u064a\u0641<\/h2>\n
\u0639\u0646\u062f \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0621 \u0645\u0646 \u0627\u0644\u0645\u0639\u0645\u0644\u060c \u0646\u0638\u0641 \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0627\u0644\u062a\u064a \u0623\u0646\u0634\u0623\u062a\u0647\u0627.<\/p>\n
\u062d\u0630\u0641 \u0635\u0648\u0631 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0645\u0646 GHCR<\/h3>\n
\u0627\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 https:\/\/github.com\/<your-username>?tab=packages<\/code> \u0648\u0627\u062d\u0630\u0641 \u062d\u0632\u0645\u0629 cosign-lab<\/code>\u060c \u0623\u0648 \u0627\u0633\u062a\u062e\u062f\u0645 GitHub CLI:<\/p>\n# List package versions\ngh api user\/packages\/container\/cosign-lab\/versions | jq '.[].id'\n\n# Delete each version\ngh api --method DELETE user\/packages\/container\/cosign-lab\/versions\/<version-id><\/code><\/pre>\n\u0625\u0632\u0627\u0644\u0629 Kyverno<\/h3>\nkubectl delete clusterpolicy require-cosign-signature\nhelm uninstall kyverno -n kyverno\nkubectl delete namespace kyverno<\/code><\/pre>\n\u062d\u0630\u0641 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631<\/h3>\ngh repo delete <your-username>\/cosign-lab --yes<\/code><\/pre>\n\u0625\u0632\u0627\u0644\u0629 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u062d\u0644\u064a\u0629<\/h3>\ncd .. && rm -rf cosign-lab\nrm -f cosign.key cosign.pub<\/code><\/pre>\n\u0627\u0644\u0646\u0642\u0627\u0637 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629<\/h2>\n\n- \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u064a\u0632\u064a\u0644 \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d.<\/strong> \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0631\u0645\u0648\u0632 \u0647\u0648\u064a\u0629 OIDC \u0645\u0646 GitHub Actions \u0648\u0634\u0647\u0627\u062f\u0627\u062a Fulcio \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631\u060c \u062a\u062a\u062c\u0646\u0628 \u0627\u0644\u0639\u0628\u0621 \u0627\u0644\u062a\u0634\u063a\u064a\u0644\u064a \u0644\u0625\u0646\u0634\u0627\u0621 \u0648\u062a\u062e\u0632\u064a\u0646 \u0648\u062a\u062f\u0648\u064a\u0631 \u0648\u062a\u0648\u0632\u064a\u0639 \u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u062a\u0648\u0642\u064a\u0639.<\/li>\n
- \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0645\u0631\u062a\u0628\u0637\u0629 \u0628\u0627\u0644\u0647\u0648\u064a\u0629\u060c \u0648\u0644\u064a\u0633 \u0628\u0627\u0644\u0645\u0641\u062a\u0627\u062d.<\/strong> \u064a\u062a\u062d\u0642\u0642 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0630\u064a \u0648\u0642\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 (\u0623\u064a \u0633\u064a\u0631 \u0639\u0645\u0644\u060c \u0641\u064a \u0623\u064a \u0645\u0633\u062a\u0648\u062f\u0639\u060c \u0639\u0646\u062f \u0623\u064a \u0645\u0631\u062c\u0639) \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0623\u064a \u0645\u0641\u062a\u0627\u062d \u062a\u0645 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647. \u0647\u0630\u0627 \u064a\u062c\u0639\u0644 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0623\u0643\u062b\u0631 \u0633\u0647\u0648\u0644\u0629 \u0648\u0642\u0627\u0628\u0644\u064a\u0629 \u0644\u0644\u0645\u0631\u0627\u062c\u0639\u0629.<\/li>\n
- \u0633\u062c\u0644 \u0634\u0641\u0627\u0641\u064a\u0629 Rekor \u064a\u0648\u0641\u0631 \u0645\u0633\u0627\u0631 \u0645\u0631\u0627\u062c\u0639\u0629 \u0645\u0642\u0627\u0648\u0645 \u0644\u0644\u062a\u0644\u0627\u0639\u0628.<\/strong> \u0643\u0644 \u062a\u0648\u0642\u064a\u0639 \u0645\u0633\u062c\u0644 \u0639\u0644\u0646\u064a\u0627\u064b\u060c \u062d\u062a\u0649 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0625\u062b\u0628\u0627\u062a \u0645\u062a\u0649 \u062a\u0645 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0648\u0627\u0643\u062a\u0634\u0627\u0641 \u0623\u064a \u0645\u062d\u0627\u0648\u0644\u0629 \u0644\u062a\u0623\u062e\u064a\u0631 \u0627\u0644\u062a\u0627\u0631\u064a\u062e \u0623\u0648 \u0625\u0632\u0627\u0644\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a.<\/li>\n
- \u0648\u062d\u062f\u0627\u062a \u062a\u062d\u0643\u0645 \u0627\u0644\u0642\u0628\u0648\u0644 \u062a\u0641\u0631\u0636 \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0639\u0646\u062f \u0648\u0642\u062a \u0627\u0644\u0646\u0634\u0631.<\/strong> Kyverno (\u0623\u0648 \u0628\u062f\u0627\u0626\u0644 \u0645\u062b\u0644 Connaisseur \u0623\u0648 Sigstore Policy Controller) \u064a\u0636\u0645\u0646 \u0623\u0646 \u0627\u0644\u0635\u0648\u0631 \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u0642\u0639\u0629 \u0623\u0648 \u0627\u0644\u0645\u0648\u0642\u0639\u0629 \u0628\u0634\u0643\u0644 \u063a\u064a\u0631 \u0635\u062d\u064a\u062d \u0644\u0627 \u062a\u0639\u0645\u0644 \u0623\u0628\u062f\u0627\u064b \u0641\u064a \u0645\u062c\u0645\u0648\u0639\u062a\u0643.<\/li>\n
- \u0634\u0647\u0627\u062f\u0627\u062a SBOM \u062a\u0648\u0633\u0639 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062b\u0642\u0629.<\/strong> \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u064a\u062b\u0628\u062a \u0645\u0646 \u0628\u0646\u0649 \u0627\u0644\u0635\u0648\u0631\u0629\u061b \u0625\u0631\u0641\u0627\u0642 SBOM \u0645\u0648\u0642\u0639 \u064a\u062b\u0628\u062a \u0645\u0627 \u0628\u062f\u0627\u062e\u0644\u0647\u0627. \u0645\u0639\u0627\u064b\u060c \u064a\u0648\u0641\u0631\u0627\u0646 \u0645\u0635\u062f\u0631\u0627\u064b \u0643\u0627\u0645\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0645\u0635\u062f\u0631 \u0625\u0644\u0649 \u0648\u0642\u062a \u0627\u0644\u062a\u0634\u063a\u064a\u0644.<\/li>\n
- \u0648\u0642\u0651\u0639 \u0628\u0627\u0644\u0645\u0644\u062e\u0635\u060c \u0648\u0644\u064a\u0633 \u0628\u0627\u0644\u0648\u0633\u0645.<\/strong> \u0627\u0644\u0648\u0633\u0648\u0645 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u063a\u064a\u064a\u0631 \u2014 \u064a\u0645\u0643\u0646 \u0644\u0634\u062e\u0635 \u0645\u0627 \u0646\u0642\u0644 \u0648\u0633\u0645 \u0625\u0644\u0649 \u0635\u0648\u0631\u0629 \u0645\u062e\u062a\u0644\u0641\u0629. \u0627\u0644\u0645\u0644\u062e\u0635\u0627\u062a \u0647\u064a \u0639\u0646\u0627\u0648\u064a\u0646 \u0645\u062d\u062a\u0648\u0649 \u062b\u0627\u0628\u062a\u0629\u060c \u0644\u0630\u0627 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u0627\u0644\u0645\u0644\u062e\u0635 \u064a\u0636\u0645\u0646 \u0623\u0646\u0643 \u0648\u0642\u0639\u062a \u0628\u0627\u0644\u0636\u0628\u0637 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u062a\u064a \u0628\u0646\u064a\u062a\u0647\u0627.<\/li>\n<\/ul>\n
\u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629<\/h2>\n
\u0648\u0627\u0635\u0644 \u0628\u0646\u0627\u0621 \u0645\u0639\u0631\u0641\u062a\u0643 \u0628\u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0645\u0639 \u0647\u0630\u0647 \u0627\u0644\u0623\u062f\u0644\u0629 \u0630\u0627\u062a \u0627\u0644\u0635\u0644\u0629:<\/p>\n
\n- \u062a\u0648\u0642\u064a\u0639 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Sigstore \u0648 Cosign<\/a> \u2014 \u062f\u0644\u064a\u0644 \u0634\u0627\u0645\u0644 \u064a\u063a\u0637\u064a \u0628\u0646\u064a\u0629 Cosign \u0648\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u062a\u062d\u0642\u0642 \u0627\u0644\u0645\u062a\u0642\u062f\u0645\u0629 \u0648\u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0645\u0639 \u0633\u062c\u0644\u0627\u062a \u0648\u0623\u0646\u0638\u0645\u0629 CI \u0645\u062e\u062a\u0644\u0641\u0629.<\/li>\n
- \u0645\u0635\u062f\u0631 \u0627\u0644\u0642\u0637\u0639 \u0627\u0644\u0623\u062b\u0631\u064a\u0629 \u0648\u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a: \u0645\u0646 SLSA \u0625\u0644\u0649 in-toto<\/a> \u2014 \u0641\u0647\u0645 \u0646\u0638\u0627\u0645 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0623\u0648\u0633\u0639 \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0645\u0633\u062a\u0648\u064a\u0627\u062a SLSA \u0648\u062a\u062e\u0637\u064a\u0637\u0627\u062a in-toto \u0648\u0643\u064a\u0641 \u062a\u062a\u0646\u0627\u0633\u0628 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0645\u0639 \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0629 \u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0643\u0627\u0645\u0644\u0629.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
\u064a\u062c\u0628 \u062a\u0648\u0642\u064a\u0639 \u0643\u0644 \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u064a\u0646\u062a\u062c\u0647\u0627 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0628\u0634\u0643\u0644 \u062a\u0634\u0641\u064a\u0631\u064a \u0642\u0628\u0644 \u0623\u0646 \u062a\u0635\u0644 \u0625\u0644\u0649 \u0623\u064a \u0628\u064a\u0626\u0629. \u0627\u0644\u0635\u0648\u0631 \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u0642\u0639\u0629 \u062a\u0645\u062b\u0644 \u0646\u0642\u0637\u0629 \u0639\u0645\u064a\u0627\u0621 \u2014 \u0644\u064a\u0633 \u0644\u062f\u064a\u0643 \u062f\u0644\u064a\u0644 \u0639\u0644\u0649 \u0623\u0646\u0647\u0627 \u062c\u0627\u0621\u062a \u0645\u0646 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643\u060c \u0648\u0644\u0627 \u0636\u0645\u0627\u0646 \u0628\u0623\u0646\u0647\u0627 \u0644\u0645 \u064a\u062a\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0647\u0627 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0646\u0642\u0644\u060c \u0648\u0644\u0627 \u0622\u0644\u064a\u0629 \u0633\u064a\u0627\u0633\u0629 \u0644\u0645\u0646\u0639 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u0631\u062d \u0628\u0647\u0627. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u0639\u0645\u0644 \u0627\u0644\u0639\u0645\u0644\u064a \u0633\u062a\u0642\u0648\u0645 \u0628\u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Cosign \u0641\u064a GitHub Actions.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,29,67,27],"tags":[],"post_folder":[],"class_list":["post-804","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-github-actions","category-labs","category-software-supply-chain"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=804"}],"version-history":[{"count":1,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/804\/revisions"}],"predecessor-version":[{"id":805,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/804\/revisions\/805"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=804"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}