Add Chainguard Enforce configuration #49
Conversation
Chainguard Enforce is a GitHub app that verifies container signatures. It's able to verify signatures using Sigstore's keyless signing as well as GPG keys. This is already set up and working in the [audit event library](https://github.com/metal-toolbox/auditevent). The provided configuration will verify that folks are using sigstore's keyless signatures on their commits, and will also accept GitHub API's GPG keys to have apps like renovate have valid signatures. To set up keyless signatures, use gitsign [1]. If on mac, you may install it as follows: ```bash brew install sigstore/tap/gitsign ``` And set it up in this repository only: ```bash cd /path/to/this/repository git config --local commit.gpgsign true # Sign all commits git config --local tag.gpgsign true # Sign all tags git config --local gpg.x509.program gitsign # Use gitsign for signing git config --local gpg.format x509 # gitsign expects x509 args ``` This shouldn't be set for all repositories as it will add references to the repositories and branches o a public transparency log, which you don't want in a private or internal GitHub repository. [1] https://github.com/sigstore/gitsign Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
JAORMX
force-pushed
the
chainguard-enforce
branch
from
5f84579
to
005cf72
Compare
Codecov Report
@@ Coverage Diff @@
## main #49 +/- ##
=======================================
Coverage 73.81% 73.81%
=======================================
Files 10 10
Lines 550 550
=======================================
Hits 406 406
Misses 115 115
Partials 29 29
Flags with carried forward coverage won't be shown. Click here to find out more. Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
@JAORMX does that mean that by enabling this, we're restricting the repo to only signed commits from sigstore's keyless signatures ? |
|
@matoszz kinda. This configuration will accept keyless signatures that are verified via the public sigstore instance AND GitHub API's GPG signature which makes bots like Renovate work. However, Enforce is currently not strictly enforcing. Meaning, folks will still be able to merge work even if it doesn't pass the code commit checks. This is on purpose to start rolling this out and get folks' feedback. The only thing that will happen right now is that they'll get an ugly red cross in CI saying that commit verification has failed. |
|
The 'unverified' UI element that shows up is not the most intuitive thing. Is there a way to get GitHub to trust the sigstore issuer? |
|
@adammohammed not at the moment. This is a GitHub limitation that is actually being worked on by the GitHub team, but there is no estimate on when they'll get it sorted. |
Chainguard Enforce is a GitHub app that verifies container signatures.
It's able to verify signatures using Sigstore's keyless signing as well
as GPG keys. This is already set up and working in the audit event
library.
The provided configuration will verify that folks are using sigstore's
keyless signatures on their commits, and will also accept GitHub API's
GPG keys to have apps like renovate have valid signatures.
To set up keyless signatures, use gitsign [1]. If on mac, you may
install it as follows:
And set it up in this repository only:
This shouldn't be set for all repositories as it will add references to
the repositories and branches o a public transparency log, which you
don't want in a private or internal GitHub repository.
[1] https://github.com/sigstore/gitsign
Signed-off-by: Juan Antonio Osorio juan.osoriorobles@eu.equinix.com