Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cosign container and binaries #20

Merged
merged 12 commits into from
Jun 27, 2022
Merged

Cosign container and binaries #20

merged 12 commits into from
Jun 27, 2022

Conversation

thepwagner
Copy link
Contributor

Use cosign+fulcio to sign the containers and binaries generated from the release process.

I've tested this in https://github.com/thepwagner/hansel , and this PR include the "receipts" from that experimentation. I'll be sure to squash.

You can verify the container:

$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/thepwagner/hansel:0.0.9 | jq

You can verify the blobs:

$ curl -sOL https://github.com/thepwagner/hansel/releases/download/v0.0.9/hansel_0.0.9_linux_amd64.tar.gz
$ tar xvf hansel_0.0.9_linux_amd64.tar.gz
LICENSE
README.md
hansel

$ curl -sOL https://github.com/thepwagner/hansel/releases/download/v0.0.9/hansel_0.0.9_linux_amd64-keyless.sig
$ curl -sOL https://github.com/thepwagner/hansel/releases/download/v0.0.9/hansel_0.0.9_linux_amd64-keyless.pem
$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature hansel_0.0.9_linux_amd64-keyless.sig --certificate hansel_0.0.9_linux_amd64-keyless.pem --enforce-sct hansel
$ base64 -d hansel_0.0.9_linux_amd64-keyless.pem | openssl x509 -text
  • You should see the cosign verify-blob state Verified OK for the signature.
  • From the openssl output, you should se:
    • The key was issued by O = sigstore.dev, CN = sigstore-intermediate
    • The certificate was only valid for a 10 minute window while the workflow ran
    • A bunch of x509 extensions linking the certificate to the triggering Actions workflow+event.

@thepwagner
release: cosign containers
b1c376d
@thepwagner
release: cosign binaries
af03691
@thepwagner
REVERTME: takeover ghcr for testing
2c69ad0
@thepwagner
revert: cosign blob output
a0cd962
@thepwagner
release: fix cosign warning and request debug output
808cc8a
@thepwagner
release: limit parallelism
bee864e 
I see the following in the logs:
```
error during command execution: signing /home/runner/work/hansel/hansel/dist/hansel_darwin_amd64_v1/hansel: getting key from Fulcio: verifying SCT: creating cached local store: resource temporarily unavailabl
```

Theories from "local store" is that is a conflict/race that limited
parallelism will fix.
Alternatively, could be a server-side throttle that limited paralellism
may fix.

This is probably the last stop before giving up on blob signing and just
trying to get container signing working.
@thepwagner
release: revert cosign debugging
8c4e6d8
@thepwagner
Revert "REVERTME: takeover ghcr for testing"
f28d3a6 
This reverts commit 2c69ad0.
@thepwagner
release: store cert too
7c02594
@thepwagner
Revert "Revert "REVERTME: takeover ghcr for testing""
2170bde 
This reverts commit f28d3a6.
@thepwagner
release: output include os 🤦
31a6c19
@thepwagner
Revert "Revert "Revert "REVERTME: takeover ghcr for testing"""
d4782aa 
This reverts commit 2170bde.
@thepwagner thepwagner self-assigned this Jun 24, 2022
@thepwagner thepwagner requested review from a team and cdenyar and removed request for a team June 24, 2022 14:09
Owen-Cummings
Owen-Cummings approved these changes Jun 27, 2022
View reviewed changes
Copy link
Member

@Owen-Cummings Owen-Cummings left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! :shipit:

@thepwagner thepwagner merged commit ae381e0 into main Jun 27, 2022
@thepwagner thepwagner deleted the cosign-container-and-binaries branch June 27, 2022 15:07
@thepwagner
Copy link
Contributor Author

This shipped in https://github.com/Shopify/hansel/releases/tag/v0.0.4

$ COSIGN_EXPERIMENTAL=1 ./cosign verify ghcr.io/shopify/hansel:0.0.4

Verification for ghcr.io/shopify/hansel:0.0.4 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/shopify/hansel"},"image":{"docker-manifest-digest":"sha256:3dd2d9fea757f4ce163674a681c8795fcb64dbc29d3490f3f2f135fd52f5e242"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIQChAiDufT3tSpnITpNB/t8u0Ap/i77eZSVH/Caf4kehRQIgZUfdc2tyJeEnWvA3ge6zJQZq+ZKd8vvU6eeyEn5ktAc=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZDkxMWJjNGU5Y2JhMzljMzdjODQ1YmQyMDc3NjQxMTBiYWYwNzJkNzk0Y2VmNDZkYzIwMDg1NTdmNWQ3NWEwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUQvcmNiZy9IYU1LYzdDeVNpcDJRZEJ6Rkw3MmZTcmp3L20xTDhtRVFQQmdRSWdIUW5IVThRd2N3enMzSkNFWFBLNXBEU3Nldk9ic0piWTU4RllkYlJlQ3BBPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnFWRU5EUVhoUFowRjNTVUpCWjBsVlJrSmFNbFZyU25sMGMyOTFOR2tyUWpCbmVsaEROa3M1ZEZsVmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDVxU1ROTlZGVjRUa1JKZUZkb1kwNU5ha2wzVG1wSk0wMVVWWGxPUkVsNFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVU1YXpKbVIyUnVOMkp4ZFZvNFUzZFZObmxoTlhsNU16YzJPRzl4YTI1SU5tbDNUM1VLVEhBMGRsUkZRblJhVUdWMmFqVmpjRUpFVnpjNVRFZDJVbkp2TkRNNFpFNDFkaXRGU2xvelR6UkdTR1V4TmxneU0zRlBRMEZxU1hkblowbDFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ3T1VSakNtZzFNRnBLV25sWmVGQkxUM0U1ZDAxWlNYVlBURFJuZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFoM1dVUldVakJTUVZGSUwwSkdWWGRWTkZwU1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERGT2IySXpRbkJhYm10MllVZEdkUXBqTWxaelRIazFibUZZVW05a1YwbDJaREk1ZVdFeVduTmlNMlI2VEROS2JHSkhWbWhqTWxWMVpWZEdkR0pGUW5sYVYxcDZURE5TYUZvelRYWmtha0YxQ2sxRE5EQk5SR3RIUTJselIwRlJVVUpuTnpoM1FWRkZSVXN5YURCa1NFSjZUMms0ZG1SSE9YSmFWelIxV1ZkT01HRlhPWFZqZVRWdVlWaFNiMlJYU2pFS1l6SldlVmt5T1hWa1IxWjFaRU0xYW1JeU1IZEZaMWxMUzNkWlFrSkJSMFIyZWtGQ1FXZFJSV05JVm5waFJFRXlRbWR2Y2tKblJVVkJXVTh2VFVGRlJBcENRMmhvV2xSTk5FMVhWWGRQVkZGNlRWUnJlbGxYVVRCTlYwMHdUWHBXYVU5VVJYZE9lbEV4VGxkV2FrNXFTbXhaZWtrelQxUnJNazFDVlVkRGFYTkhDa0ZSVVVKbk56aDNRVkZSUlVJeFNteGlSMVpvWXpKVmQwaEJXVXRMZDFsQ1FrRkhSSFo2UVVKQ1VWRlBWVEpvZG1OSGJHMWxVemx2V1ZjMWVscFhkM2NLU0dkWlMwdDNXVUpDUVVkRWRucEJRa0puVVZGamJWWnRZM2s1TUZsWFpIcE1NMWwzVEdwQmRVNUVRMEpwVVZsTFMzZFpRa0pCU0ZkbFVVbEZRV2RTTndwQ1NHdEJaSGRDTVVGQmFHZHJka0Z2VlhZNWIxSmtTRkpoZVdWRmJrVldia2RMZDFkUVkwMDBNRzB6YlhaRFNVZE9iVGw1UVVGQlFtZGhWelpXTDJOQkNrRkJVVVJCUlZsM1VrRkpaMDl4T1N0YVEzaE9XVWhWZDFoMlltcGxia2xxUWpKMWVqVkpXVmxPTDJSSVRqVmhkbEpYWjBkNlUwbERTVUUyWjJ4b2Nua0taMEZVUkZCS1l6ZzNXVkZRU1dGT1dFTlhXbFpyTjJ0YU9HVjZOM0pNUmtwMVFYTTFUVUZ2UjBORGNVZFRUVFE1UWtGTlJFRXlaMEZOUjFWRFRWRkVjZ3BYTUM5eFluSktXSEYyVUhsRk5rMVlUVGhtU2paWVJHSm9XR1pYV21Sc2JHSnNRak5xUVhSTGQwVk1ObEU1U2pSU1ltNU5aRk5OVlhjMmVVVjFVbWREQ2sxQ1ltZEhaVkpDUm05U2JIWjVSR1ZHZURSRE1XSjFSa0ZDWlhsamEyZERjRk55VEdaeWJrWktNWEpxVDJSdlNYcEVlVkZoVkdaaVNVeExZa1IwYzJzS1JtYzlQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09In19fX0=","integratedTime":1656342862,"logIndex":2780710,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com","Subject":"https://github.com/Shopify/hansel/.github/workflows/release.yaml@refs/tags/v0.0.4"}},{"critical":{"identity":{"docker-reference":"ghcr.io/shopify/hansel"},"image":{"docker-manifest-digest":"sha256:3dd2d9fea757f4ce163674a681c8795fcb64dbc29d3490f3f2f135fd52f5e242"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIQDuwzGYoTBWzoISx9hQh+Fpgi6S6xtG4eMhempGccBVxgIgHpk1U4EARM+59rJFlYwIJUzb4tQ5CrEOd0gWM+++LnM=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZDkxMWJjNGU5Y2JhMzljMzdjODQ1YmQyMDc3NjQxMTBiYWYwNzJkNzk0Y2VmNDZkYzIwMDg1NTdmNWQ3NWEwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQnFJdWc1ajVGNkFLV056RGpkeDFmMG5yTVIxZHJsV2RVS3F1eXhrQ2o3b0FpQTNmMVBFZTF6a0VLaXQxVXE5Y3hPUG1YVnhNSi9SSXV3d1NIczN2RGNCTFE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnFha05EUVhoVFowRjNTVUpCWjBsVlNWTlNPVkExWTNCbFZUaDBVMUV5VWpOaE1XeEdWSGRqTjIxbmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDVxU1ROTlZGVjRUa1JKTVZkb1kwNU5ha2wzVG1wSk0wMVVWWGxPUkVreFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVY2UkhaeE1EWlVjbUZrTmpBd1dUQXhhemxGUTA1V1EzVmhSWEZqTDB0RVZuZDNjVEFLVVZSRmFYWlZUWFpJVERSd1UyTTFOelUwTUVWSU9YRkVNRmwyVkhKYWIxQTFiMnd4UjAxdVZubEpNMko1U21KeVJUWlBRMEZxVFhkblowbDJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV3V0hwekNtUjNRbG8wTTA5dU1scFphMkpaYUVwd2VIbG9VR1ZGZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFoM1dVUldVakJTUVZGSUwwSkdWWGRWTkZwU1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERGT2IySXpRbkJhYm10MllVZEdkUXBqTWxaelRIazFibUZZVW05a1YwbDJaREk1ZVdFeVduTmlNMlI2VEROS2JHSkhWbWhqTWxWMVpWZEdkR0pGUW5sYVYxcDZURE5TYUZvelRYWmtha0YxQ2sxRE5EQk5SR3RIUTJselIwRlJVVUpuTnpoM1FWRkZSVXN5YURCa1NFSjZUMms0ZG1SSE9YSmFWelIxV1ZkT01HRlhPWFZqZVRWdVlWaFNiMlJYU2pFS1l6SldlVmt5T1hWa1IxWjFaRU0xYW1JeU1IZEZaMWxMUzNkWlFrSkJSMFIyZWtGQ1FXZFJSV05JVm5waFJFRXlRbWR2Y2tKblJVVkJXVTh2VFVGRlJBcENRMmhvV2xSTk5FMVhWWGRQVkZGNlRWUnJlbGxYVVRCTlYwMHdUWHBXYVU5VVJYZE9lbEV4VGxkV2FrNXFTbXhaZWtrelQxUnJNazFDVlVkRGFYTkhDa0ZSVVVKbk56aDNRVkZSUlVJeFNteGlSMVpvWXpKVmQwaEJXVXRMZDFsQ1FrRkhSSFo2UVVKQ1VWRlBWVEpvZG1OSGJHMWxVemx2V1ZjMWVscFhkM2NLU0dkWlMwdDNXVUpDUVVkRWRucEJRa0puVVZGamJWWnRZM2s1TUZsWFpIcE1NMWwzVEdwQmRVNUVRMEpwWjFsTFMzZFpRa0pCU0ZkbFVVbEZRV2RTT0FwQ1NHOUJaVUZDTWtGQmFHZHJka0Z2VlhZNWIxSmtTRkpoZVdWRmJrVldia2RMZDFkUVkwMDBNRzB6YlhaRFNVZE9iVGw1UVVGQlFtZGhWelphVDNkQkNrRkJVVVJCUldOM1VsRkpaMGRNUmxWVlJGUnpXRzkxWjBNek9ISmtkemwyYlRadGJtWnVkM2RtTVU5dFRXMWFXbFZ6Y1hkRGREUkRTVkZFT1daaU4wb0tNVzFsZW1oQlFUQlNPVkJyVVdsS2QwNUZNMlUyUlhCNmRrUk9OVXMxTHpJeFoxUmFkR3BCUzBKblozRm9hMnBQVUZGUlJFRjNUbTlCUkVKc1FXcENPUW96T1dOcWRWWlBZMGhMYW10cU5ERkhTR1JSVWk4MFkzbFVTa1V3VjFrNWVXa3ZRMVpRVGxGWWFYcHFaekZxYmtkcVdIa3JjRmRoUW5Nd2J6WlVVMVZEQ2sxUlJFSlhNbWh6TkhoT2JXeE9WVVZVUkVsUWExUkRjRU5TVFN0dWRrOVhkVk5yTVdsSmFGRTBNVWxEVVhkVlZYZHlaRGhaZG5OYU5rNXFhRE15VmtVS1VsQlpQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09In19fX0=","integratedTime":1656342866,"logIndex":2780711,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com","Subject":"https://github.com/Shopify/hansel/.github/workflows/release.yaml@refs/tags/v0.0.4"}}]

$ cosign verify-blob --certificate hansel_0.0.4_linux_amd64-keyless.pem --signature hansel_0.0.4_linux_amd64-keyless.sig hansel
Verified OK

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Owen-Cummings Owen-Cummings Owen-Cummings approved these changes

@cdenyar cdenyar Awaiting requested review from cdenyar cdenyar is a code owner automatically assigned from Shopify/infrasec

Assignees

@thepwagner thepwagner

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thepwagner @Owen-Cummings