Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support disabling the verification with Cosign and slsa-verifier #2633

Closed
suzuki-shunsuke opened this issue Jan 25, 2024 · 5 comments · Fixed by #2634
Closed

Support disabling the verification with Cosign and slsa-verifier #2633

suzuki-shunsuke opened this issue Jan 25, 2024 · 5 comments · Fixed by #2634
Labels
enhancement New feature or request
Milestone
v2.22.0

Comments

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Jan 25, 2024
edited

Feature Overview

Support disabling the verification with Cosign and slsa-verifier.

Why is the feature needed?

Original discussion: https://github.com/orgs/aquaproj/discussions/2631

Cosign and sla-verifier access some endpoints such as oauth2.sigstore.dev and fulcio.sigstore.dev.
So to use them you need to allow the access to these endpoints.

But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.

To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.

Workaround

There is no workaround.

Example Code

  1. Add command line options

e.g.

aqua [-disable-cosign] [-disable-slsa] i
  1. Add environment variables

e.g.

env AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua i

Note

This feature isn't good in terms of security,
but I don't think the disabling the verification with Cosign and slsa-verifier causes the security threats immediately.
And most packages don't support Cosign and slsa-verifier, so the affect is limited.

I don't want to require users to allow the access to those endpoints.
@suzuki-shunsuke suzuki-shunsuke added the enhancement New feature or request label Jan 25, 2024
@suzuki-shunsuke suzuki-shunsuke mentioned this issue Jan 25, 2024
Merged
@suzuki-shunsuke
Copy link
Member Author

@suzuki-shunsuke
Copy link
Member Author

@tuananh
Could you try https://github.com/aquaproj/aqua/releases/tag/v2.22.0-1 ?
If there is no problem, we'll merge #2634 and release v2.22.0.

@tuananh
Copy link

tuananh commented Jan 26, 2024

it seems to work. thanks a lot :)

@suzuki-shunsuke suzuki-shunsuke added this to the v2.22.0 milestone Jan 26, 2024
@suzuki-shunsuke suzuki-shunsuke mentioned this issue Jan 26, 2024
Merged
@suzuki-shunsuke
Copy link
Member Author

Thank you!

v2.22.0 is out 🎉
https://github.com/aquaproj/aqua/releases/tag/v2.22.0

@suzuki-shunsuke
Copy link
Member Author

suzuki-shunsuke commented Jan 26, 2024
edited

aqua-installer v2.3.0 is out 🎉

https://github.com/aquaproj/aqua-installer/releases/tag/v2.3.0

To disable the verification when you install aqua with aqua-installer, please use aqua-installer v2.3.0 or newer and set the environment variables AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA.

export AQUA_DISABLE_COSIGN=true
export AQUA_DISABLE_SLSA=true
./aqua-installer
- uses: aquaproj/aqua-installer@v2.3.0
  with:
    aqua_version: v2.22.0
  env:
    AQUA_DISABLE_COSIGN: "true"
    AQUA_DISABLE_SLSA: "true"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
main
Status: Done
Milestone
v2.22.0
Development

Successfully merging a pull request may close this issue.

feat: support disabling cosign and SLSA aquaproj/aqua
2 participants
@tuananh @suzuki-shunsuke