Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing artifacts with cosign #2227

Closed
2 tasks done
justaugustus opened this issue Aug 25, 2021 · 23 comments
Closed
2 tasks done

Signing artifacts with cosign #2227

justaugustus opened this issue Aug 25, 2021 · 23 comments
Assignees
@puerco @cpanato
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/release Categorizes an issue or PR as relevant to SIG Release.
Milestone
v1.24

Comments

@justaugustus
Copy link
Member

What would you like to be added:

Signing artifacts with cosign

(I'm opening a placeholder to capture work. Let's capture thoughts here and we'll iterate over the issue description together.)

Why is this needed:

Should supersede sections of #914 once we flesh this out.

/assign @justaugustus @cpanato @puerco
cc: @kubernetes/sig-release-admins @kubernetes/release-engineering @dlorenc @lukehinds
@justaugustus justaugustus added kind/feature Categorizes issue or PR as related to a new feature. sig/release Categorizes an issue or PR as relevant to SIG Release. area/release-eng Issues or PRs related to the Release Engineering subproject labels Aug 25, 2021
@justaugustus justaugustus added this to the v1.23 milestone Aug 25, 2021
This was referenced Aug 25, 2021
Merged
Merged
@dlorenc
Copy link

dlorenc commented Aug 25, 2021

Yay!

@justaugustus
Copy link
Member Author

Some stream of consciousness...

  • What should we sign (containers, generic artifacts, checksums, etc.)?
  • Should we sign images used in CI?
  • Oh no! We don't uniquely tag all of those things
  • Is/should a signature [be] embedded as part of a manifest?
  • Wait, should we sign images before or after promotion?
  • If we sign before promotion, will anything be mutated during promotion?
  • Shouldn't we get the image promoter to sign as part of the run?
  • Should we sign artifacts multiple times? CI/GCB + Release Manager + image promoter
  • What sort of annotations should we include as part of the signature?
  • Should we always upload all image/artifact types to a transparency log?
  • Should we sign individual architecture images, the image manifest, or both?

@jonjohnsonjr
Copy link

What should we sign (containers, generic artifacts, checksums, etc.)?

Everything!

Should we sign images used in CI?

Why not?

Oh no! We don't uniquely tag all of those things

No need!

Is/should a signature [be] embedded as part of a manifest?

Definitely not!

Wait, should we sign images before or after promotion?

Why not both?

If we sign before promotion, will anything be mutated during promotion?

Not the artifacts themselves!

Shouldn't we get the image promoter to sign as part of the run?

Sure, why not?

Should we sign artifacts multiple times? CI/GCB + Release Manager + image promoter

Sure!

What sort of annotations should we include as part of the signature?

Great question! Ideally, anything you want to quickly verify.

Should we always upload all image/artifact types to a transparency log?

At least for things you intend folks to consume, I would think yes.

Should we sign individual architecture images, the image manifest, or both?

I'd say just the manifest list, but it depends on if the downstream software understands manifest lists. If that's too hard to keep up, just sign both.

@justaugustus justaugustus mentioned this issue Aug 25, 2021
Closed
@puerco
Copy link
Member

puerco commented Aug 26, 2021

Wait, should we sign images before or after promotion?

I was thinking that, at least for the images that go out as part of the kubernetes releases, we should sign them in CI before promotion and then have the promoter verify the signature to accept them for promotion. And then add a final signature during promotion for verification downstream.

What should we sign (containers, generic artifacts, checksums, etc.)?

Another idea: what about if we start a new repo for .deb and .rpm packages signed with a new key and publish those in parallel to the current ones. Then we slowly make the transition to these as the official ones, signed with a key managed by the community?

@justaugustus
Copy link
Member Author

justaugustus commented Aug 26, 2021
edited
Loading

Thanks for the quick response, @jonjohnsonjr!

Let's sign ALL THE THINGS!
GCB tags + substitutions are probably a good place to start for annotations.

we should sign them in CI before promotion

+1

and then have the promoter verify the signature to accept them for promotion. And then add a final signature during promotion for verification downstream.

Hearing a few things for image promoter:

  • enable validation
  • validate that the promoter can support non-image media types
  • enable signing

Another idea: what about if we start a new repo for .deb and .rpm packages signed with a new key and publish those in parallel to the current ones. Then we slowly make the transition to these as the official ones, signed with a key managed by the community?

Are you referring to:

  1. apt/yum repos, or
  2. "image" repos

If #1, let's consider this out of scope, at least for this issue:

  • Google does not plan on providing more apt/yum repos
  • time and cost associated with rolling/maintaining our own separately from container images

If #2, I think you're touching on the "galaxy-brain stuff" I've mentioned on a few of the leads call!

As an example:

Homebrew now hosts all of their bottles on the Container registry. This was made possible because the Container registry supports OCI images. Homebrew can now distribute over a half a petabyte of binary packages to their users every month while surfacing them in GitHub search for improved discoverability. Shaun Jackman, a Homebrew maintainer, found the OCI support particularly useful and said, “GHCR’s implementation of ORAS/OCI provides a standard API to query, upload, and download binary artifacts, so that Homebrew could use off-the-shelf compatible tools, easing our migration of bottle storage to GHCR.”

ref: https://github.blog/2021-06-21-github-packages-container-registry-generally-available/

I'd like to modify the image promoter to be a generic artifact promoter that uses GCR/GAR as the backend.

If we do that, we can genericize all of the signing/validation workflows.

@saschagrunert
Copy link
Member

And then add a final signature during promotion for verification downstream.

Isn't changing the signature after promotion confusing for end users? Why won't wee keep the original signature if the content of the image does not change during promotion?

@cpanato
Copy link
Member

cpanato commented Aug 26, 2021

second what @puerco said

@lukehinds
Copy link

I am not sure if you're at the right stage of planning to this level, but you should definitely start recording entries into rekor as well.

@justaugustus
Copy link
Member Author

Isn't changing the signature after promotion confusing for end users? Why won't wee keep the original signature if the content of the image does not change during promotion?

@saschagrunert -- How I see this potentially playing out (for release artifacts in particular):

  • Stage: Artifacts are signed with GCB w/ a key held by @kubernetes/sig-release-admins / @kubernetes/release-engineering
  • Release:
    • Artifacts are signed by the artifact/image promoter
    • krel validates signatures from RelEng + artifact/image promoter before completing the release
    • We publish multiple signatures for user validation

Optionally, somewhere in the middle, we could have the Release Manager in charge sign the staging images as part of krel promote-images and promote the:

  • artifacts
  • GCB staging signature
  • Release Manager signature

I am not sure if you're at the right stage of planning to this level, but you should definitely start recording entries into rekor as well.

@lukehinds -- Absolutely!

@justaugustus
Copy link
Member Author

cc: @kubernetes/sig-release @kubernetes/wg-k8s-infra

@justaugustus justaugustus pinned this issue Aug 28, 2021
@sftim
Copy link
Contributor

sftim commented Oct 21, 2021

My question: does this change need a KEP?

@justaugustus
Copy link
Member Author

My question: does this change need a KEP?

Discussion here: kubernetes/sig-release#1724

@saschagrunert saschagrunert mentioned this issue Nov 2, 2021
Open
7 tasks
@shibumi
Copy link

shibumi commented Nov 11, 2021

A few thoughts on this:

Right now, there is a cosign test key for signing. It would be nice, if we could switch to keyless signing via workload identities.
I wrote a little blog article about how to sign BLOBs with cosign keyless: https://shibumi.dev/posts/first-look-into-cosign/

The next cosign version should be able to:

  • create a keyless signature for any artifact
  • store the signature on disk/github release log and/or in the rekor transparency log.

Current blockers:

  • The public rekor/fulcio instances are still "test environments" and not meant for production use.
  • The cosign feature for keyless signatures is still considered experimental.
  • I don't know how the Github OIDC-Issuer / Workload Identity part will work in a big org like kubernetes.

I would suggest to wait until the sigstore stack is ready :)

It also might make sense to combine all of this with TUF or in-toto on the long run. First TUF, then in-toto.

@BenTheElder
Copy link
Member

if we could switch to keyless signing via workload identities.

+1, one concern I have is making sure that the signatures are meaningful, having workload identity based signatures from the relatively locked down release process would provide some assurances.

I don't know how the Github OIDC-Issuer / Workload Identity part will work in a big org like kubernetes.

build / publish actually runs in Google Cloud Build currently anyhow, FWIW. (or CI builds happen in our own Kubernetes based CI, which has GKE workload identity available).

Definitely smells like a KEP to me :-)

Somewhat related: I think if we want to sign CI builds we need to better secure them first (move them out to GCB for starters).

@shibumi
Copy link

shibumi commented Nov 11, 2021

@BenTheElder Just for the record: https://github.com/google-github-actions/auth this might be interesting then, right?

@BenTheElder
Copy link
Member

Er I don't think so for the main project 😅
The main Kubernetes project isn't using GitHub Actions.
We use:

Some of the smaller repos use GitHub Actions for various things but not Kubernetes releases or CI builds.

@saschagrunert
Copy link
Member

The initial draft of the sining KEP is proposed in kubernetes/enhancements#3061

@shibumi shibumi mentioned this issue Nov 29, 2021
Closed
@justaugustus justaugustus removed their assignment Dec 5, 2021
@trishankatdatadog
Copy link

Would be a great pioneering use case for sigstore trust delegations! @asraa

@justaugustus justaugustus mentioned this issue Jan 10, 2022
Merged
@saschagrunert saschagrunert mentioned this issue Jan 11, 2022
Closed
@saschagrunert
Copy link
Member

Tracking the first implementation in #2383

This was referenced Feb 14, 2022
Merged
Merged
@justaugustus justaugustus mentioned this issue Feb 23, 2022
Closed
@ReillyBrogan ReillyBrogan mentioned this issue Mar 31, 2022
Closed
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 11, 2022
@saschagrunert saschagrunert removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 11, 2022
@ameukam
Copy link
Member

ameukam commented Apr 11, 2022

/remove-lifecycle stale
/milestone v1.24

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.23, v1.24 Apr 11, 2022
@ameukam
Copy link
Member

ameukam commented Apr 11, 2022

/priority important-longterm

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed needs-priority labels Apr 11, 2022
@saschagrunert
Copy link
Member

I think this can be closed and we can track the work in kubernetes/enhancements#3031

@saschagrunert saschagrunert unpinned this issue Jun 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@puerco puerco

@cpanato cpanato

Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Milestone
v1.24
Development

No branches or pull requests