Sigstore Cosign VS Code development container feature


For those following me here or social media will know that I am a big fan of Visual Studio development containers. I wrote a bit about Visual Studio Code development containers. I have been using devcontainers for different development environments extensively. I have a sample repo on GitHub that has all devcontainer definitions that I have been using for different projects. A latest addition to this list is the Sigstore cosign devcontainer feature.

If you are new to creating VS Code devcontainer features, you can read my earlier article where I walked through creating a devcontainer feature for Cuelang.

What is cosign?

The Sigstore’s cosign aims to support artifact signing and verification. This article is not about cosign but here is a quick look at what you can achieve.

1
2
3
4
5
6
7
8
# Generate key pair (private/public)
cosign generate-key-pair

# Sign a container image
cosign sign --key cosign.key ravikanth/hello-container

# Verify signature
cosign verify --key cosign.pub ravikanth/hello-container

Although the above example shows signing a container image, you can sign any artifact using cosign. I have a few articles around container images and OCI artifacts in drafts where I plan to show the usage of Cosign in-depth. For now, this is just a quick overview.

Coming back to VS Code devcontainers, I use devcontainers for all my development work and as a part of that I wanted to have cosign also available in my devcontainer. So, I created a feature that I can simply include in my devcontainer definition.

Consuming cosign devcontainer feature

All the devcontainer features that I build are available in the GitHub artifact registry.

For VS Code or GitHub codespaces to identify a devcontainer, you need to create a .devcontainer folder at the root of the repository. Once this folder is created, copy the JSON contents shown below to a file and save it as devcontainer.json under the .devcontainer folder.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
{
	"image": "mcr.microsoft.com/vscode/devcontainers/base",
	"containerEnv": {
		"TZ": "Asia/Calcutta"
	},
	"settings": {},
	"extensions": [
		"golang.go"
	],
	"features": {
		"ghcr.io/devcontainers/features/go:1": {
            "version": "latest"
        },
		"ghcr.io/rchaganti/vsc-devcontainer-features/cosign:latest" : {}
	},
	"remoteUser": "vscode"
}

This is it really. Whenever you open this repo in VS Code, it prompts you if you want to open the repository in a devcontainer. If you choose to open in a devcontainer, it will take a few minutes to build the container image and start the container for you.

If you need a specific version of the cosign binary, you can specify that using the version option.

1
2
3
"ghcr.io/rchaganti/vsc-devcontainer-features/cosign:latest" : {
	"version": "1.31.1"
}

In this devcontainer, I have both Go language and cosign binary. Simple. Eh!?

Let me know how you use cosign today in the comments.

Share on: