Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Sig-Security] Generation of SLSA3+ provenance for KubeEdge release artifacts #4285

Merged
merged 1 commit into from
Jan 14, 2023
Merged

[Sig-Security] Generation of SLSA3+ provenance for KubeEdge release artifacts #4285

merged 1 commit into from
Jan 14, 2023

Conversation

vincentgoat
Copy link
Member

@vincentgoat vincentgoat commented Oct 9, 2022
edited
Loading

Signed-off-by: vincentgoat linguohui1@huawei.com

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
Generation of SLSA3+ provenance for KubeEdge, generating non-forgeable SLSA provenance on GitHub that meets the build and provenance requirements for SLSA level 3 and above.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?: YES

1. Before merging this PR

Please create a Repository variables in the repo kubeedge.
Steps: Repo kubeedge > settings > Security/Secretes and variables > Actions > Variables > New repositories variables
New the variable: DOCKERHUB_USER_NAME: {the value is same with dockerhub username}

2. Here is how we verify provenance generated by SLSA generator (Binary artifacts):

  1. Download slsa-verifier tools. FYI: https://github.com/slsa-framework/slsa-verifier

  2. Example:

    $ ./slsa-verifier-linux-amd64 verify-artifact kubeedge-v1.xx.xx-linux-arm.tar.gz --provenance-path attestation.intoto.jsonl --source-uri github.com/kubeedge/kubeedge --source-tag v1.xx.xx

If the results return the following means verifying successfully.
PASSED: Verified SLSA provenance

Otherwise failed.
expected hash 'xxx' not found: artifact hash does not match provenance subject

Note: Files kubeedge-v1.xx.xx-linux-arm.tar.gz and attestation.intoto.jsonl are release artifacts that show at KubeEdge RELEASE pages.

3. Verify container images' provenance

FYI: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#verification

Examples:
$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type slsaprovenance --policy policy.cue kubeedge/admission:v1.x.x

@kubeedge-bot kubeedge-bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Oct 9, 2022
@kubeedge-bot kubeedge-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 9, 2022
@kubeedge-bot kubeedge-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 11, 2022
@kubeedge-bot kubeedge-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 14, 2022
@vincentgoat vincentgoat reopened this Oct 14, 2022
@kubeedge-bot kubeedge-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 14, 2022
gy95
gy95 reviewed Oct 14, 2022
View reviewed changes
.github/workflows/release.yml Outdated
@@ -20,8 +20,6 @@ jobs:
- linux
arch:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delete this arch part

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

gy95
gy95 reviewed Oct 14, 2022
View reviewed changes
.github/workflows/release.yml Outdated

_output/release/${{ github.ref_name }}/${{ matrix.target }}-${{ github.ref_name }}-${{ matrix.os }}-${{ env.output_arch }}.tar.gz
_output/release/${{ github.ref_name }}/checksum_${{ matrix.target }}-${{ github.ref_name }}-${{ matrix.os }}-${{ env.output_arch }}.tar.gz.txt
build-hash:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add a blank line between the two jobs and between the two actions to make it readable

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@vincentgoat vincentgoat mentioned this pull request Nov 4, 2022
Open
8 tasks
@stale
Copy link

stale bot commented Dec 21, 2022

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@kubeedge-bot kubeedge-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 26, 2022
@stale stale bot closed this Jan 7, 2023
@vincentgoat
Generation of SLSA3+ provenance for KubeEdge
4baf8b0 
Signed-off-by: vincentgoat <linguohui1@huawei.com>
@vincentgoat vincentgoat reopened this Jan 11, 2023
@stale stale bot removed the lifecycle/stale label Jan 11, 2023
@vincentgoat vincentgoat added this to the v1.13 milestone Jan 12, 2023
@vincentgoat vincentgoat added the sig/security Categorizes an issue or PR as relevant to SIG Security. label Jan 13, 2023
fisherxu
fisherxu reviewed Jan 14, 2023
View reviewed changes
Copy link
Member

@fisherxu fisherxu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@kubeedge-bot kubeedge-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 14, 2023
@kubeedge-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fisherxu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubeedge-bot kubeedge-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 14, 2023
@kubeedge-bot kubeedge-bot merged commit 5231dc6 into kubeedge:master Jan 14, 2023
@fisherxu fisherxu mentioned this pull request Nov 21, 2023
Closed
2 tasks
@fisherxu fisherxu mentioned this pull request Aug 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fisherxu fisherxu fisherxu left review comments

@gy95 gy95 gy95 left review comments

@sids-b sids-b Awaiting requested review from sids-b

@subpathdev subpathdev Awaiting requested review from subpathdev

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. sig/security Categorizes an issue or PR as relevant to SIG Security. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.13
Development

Successfully merging this pull request may close these issues.
4 participants
@vincentgoat @kubeedge-bot @fisherxu @gy95