Skip to content
This repository has been archived by the owner on Mar 10, 2024. It is now read-only.
/ sigstore-custom-policies Public archive

Repo to contain files demo'd on the CNCF Webinar on the Sigstore Policy Controller

3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

chainguard-dev/sigstore-custom-policies

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

CNCF-Sigstore-Policy Controller-Slides.pdf

CNCF-Sigstore-Policy Controller-Slides.pdf

 
 

README.md

README.md

 
 

author-email.cue

author-email.cue

 
 

codereview-cip.yaml

codereview-cip.yaml

 
 

codereview.json

codereview.json

 
 

independent-review.cue

independent-review.cue

 
 

repo-check.cue

repo-check.cue

 
 

Repository files navigation

CNCF Webinar - Sigstore Policy Controller Demo Files

Recording

Setup

You can use any image but these are the steps I followed:

  1. Copy over a new image
crane copy \
    cgr.dev/chainguard/hello-world@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26 \
    gcr.io/image-scans/cncf-webinar:custom
  1. Sign the image using cosign
cosign sign \
    gcr.io/image-scans/cncf-webinar@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26
  1. Sign and attach the attestation to the image
cosign attest \
    --predicate=codereview.json \
    --type=custom \
    gcr.io/image-scans/cncf-webinar@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26

Signing the image generated log index 6691159 and signing/attaching the attestation generated log index 6691180

In addition to the links to the public rekor log, the signature can be validated by running:

cosign verify gcr.io/image-scans/cncf-webinar@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26

The attestation can be shown by running:

cosign verify-attestation \
    --type=custom \
    gcr.io/image-scans/cncf-webinar@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26 \
    | jq -r .payload | base64 -d | jq -r .predicate.Data

Follow the rest of the instructions to learn how to validate the attestation

Demo 1: Validate Repo Data

cosign verify-attestation \
    --policy=repo-check.cue \
    --type=custom \
    gcr.io/image-scans/cncf-webinar@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26

Demo 2: Validate Email Domain of Author

cosign verify-attestation \
    --policy=author-email.cue \
    --type=custom \
    gcr.io/image-scans/cncf-webinar@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26

Demo 3: Independent Review

cosign verify-attestation \
    --policy=independent-review.cue \
    --type=custom \
    gcr.io/image-scans/cncf-webinar@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26

Demo 4: Putting It All Together

cosign verify-attestation \
    --policy=combined-trimmed.cue \
    --type=custom \
    gcr.io/image-scans/cncf-webinar@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26

Chainguard Enforce

Turn on enforcement by adding the policy.sigstore.dev/include=true label, install the policy, run the example:

kubectl label ns default policy.sigstore.dev/include=true --overwrite
chainctl policies create --group $DEMO_GROUP -f codereview-cip.yaml
kubectl run codereview --image=gcr.io/image-scans/cncf-webinar@sha256:f6827ec9bd51ad519e6e3aabb2e18487a852b34f57178166f8f70b81bff89b26

Clean up

chainctl policy delete -y $(chainctl policy list -o json | jq -r '[.items[] | select(.name == "codereview")][0].id')
kubectl label ns default policy.sigstore.dev/include-

About

Repo to contain files demo'd on the CNCF Webinar on the Sigstore Policy Controller

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages