Home Explore Blog CI



kubernetes
6th chunk of `content/en/blog/_posts/2017-11-00-Securing-Software-Supply-Chain-Grafeas.md`
7133db4dd076e7745728df2e5ffe810d4e9732606d0cb2b20000000100000df6
The  "" is invalid: : No matched signatures for container image: gcr.io/hightowerlabs/payment@sha256:aba48d60ba4410ec921f9d2e8169236c57660d121f9430dc9758d754eec8f887
 ```


**3. Create an image signature**  

Assume the image digest is stored in Image-digest.txt, sign the image digest:  



```
gpg -u qa\_bob@example.com \  
  --armor \  
  --clearsign \  
  --output=signature.gpg \  
  Image-digest.txt
 ```



**4. Upload the signature to the Grafeas API**  

Generate a pgpSignedAttestation occurrence from the signature :




```
cat \> occurrence.json \<\<EOF  
{  
  "resourceUrl": "$(cat image-digest.txt)",  
  "noteName": "projects/image-signing/notes/qa",  
  "attestation": {  
    "pgpSignedAttestation": {  
       "signature": "$(cat signature.gpg)",  
       "contentType": "application/vnd.gcr.image.url.v1",  
       "pgpKeyId": "${GPG\_KEY\_ID}"  
    }  
  }  
}  
EOF
 ```


Upload the attestation through the Grafeas API:




```
curl -X POST \  
  'http://127.0.0.1:8080/v1alpha1/projects/image-signing/occurrences' \  
  -d @occurrence.json
 ```



**5. Verify QA attestation during a production deployment**    

Attempt to run the image in paymentProcessor.ymal now that it has the correct attestation in the Grafeas API:  



```
kubectl apply -f pods/paymentProcessor.yaml

pod "PaymentProcessor" created
 ```


With the attestation added the pod will be created as the execution criteria are met.  

For more detailed information, see this [Grafeas tutorial](https://github.com/kelseyhightower/grafeas-tutorial).



## Summary
The demo above showed how you can integrate your software supply chain with Grafeas and gain visibility and control over your production deployments. However, the demo verification pipeline by itself is not a full Kritis implementation. In addition to basic admission control, Kritis provides additional support for workflow enforcement, multi-authority signing, breakglass deployment and more. You can read the [Kritis whitepaper](https://github.com/Grafeas/Grafeas/blob/master/case-studies/binary-authorization.md) for more details. The team is actively working on a full open-source implementation. We’d love your feedback!  

In addition, a hosted alpha implementation of Kritis, called Binary Authorization, is available on Google Container Engine and will be available for broader consumption soon.  

Google, JFrog, and other partners joined forces to create Grafeas based on our common experiences building secure, large, and complex microservice deployments for internal and enterprise customers. Grafeas is an industry-wide community effort.  

To learn more about Grafeas and contribute to the project:  

- Register for the JFrog-Google webinar [[here](https://leap.jfrog.com/WN2017-ImplementingaSingleSourceofTruthinaHybridCloudWorld_RegistrationPage.html)]
- Try Grafeas now and join the GitHub project: [https://github.com/grafeas](https://github.com/grafeas)
- Try out the Grafeas demo and tutorial: [https://github.com/kelseyhightower/grafeas-tutorial](https://github.com/kelseyhightower/grafeas-tutorial)
- Attend Shopify’s talks at [KubeCon in December](https://kccncna17.sched.com/event/CU83/securing-shopifys-paas-on-gke-i-jonathan-pulsifer-shopify)
- Fill out [[this form](https://docs.google.com/forms/d/e/1FAIpQLSdr8kDTkAkml5f9TW_kzz06C0s0QuV_sWYzHC7NM90F5CZ2bQ/viewform)] if you’re interested in learning more about our upcoming releases or talking to us about integrations
- See [grafeas.io](https://grafeas.io/) for documentation and examples
We hope you join us!  
The Grafeas Team
Title: Creating Image Signature, Uploading to Grafeas, and Verification
Summary
This section describes how to create an image signature, upload it to the Grafeas API, and verify QA attestation during deployment. After adding the attestation, the pod is created successfully, meeting the execution criteria. The demo showcases integrating a software supply chain with Grafeas for visibility and control. Kritis enhances this with features like workflow enforcement and multi-authority signing. A hosted Kritis alpha is available on Google Container Engine as Binary Authorization. The document includes links to resources, webinars, demos and examples to explore Grafeas.