Skip to content

Cosign images during publish #1437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 18, 2022
Merged

Cosign images during publish #1437

merged 2 commits into from
Jul 18, 2022

Conversation

@jtcarnes
Copy link
Contributor

@jtcarnes jtcarnes commented Jun 15, 2022
edited
Loading

For security, artifact integrity and attestation are important. While a container sha takes care of integrity,
it does not satisfy attestation. The Linux foundations open source Sigstore projects are becoming the
defacto standard for container attestation. Kubernetes latest release was signed with cosign (the
sigstore signing utility).

This MR adds cosign to the release process easily. We use the github actions oidc token to authenticate
to fulcio and receive a short lived key to sign the images after we publish them. This allows
anyone to trivially check where the images have come from and their integrity.

Signing containers in this way is also the standard template for new repos that use github
actions.

Fixes #1423

@jtcarnes
Copy link
Contributor Author

jtcarnes commented Jun 15, 2022

@fedepaol this MR relies on #1414 to work properly. Once this is done, this should be an easy rebase.

@jtcarnes jtcarnes changed the title WIP: Cosign images during publish Cosign images during publish Jun 23, 2022
@jtcarnes
Copy link
Contributor Author

jtcarnes commented Jul 6, 2022

@fedepaol whenever you get the chance, lmk

mattmoor
mattmoor reviewed Jul 15, 2022
View reviewed changes
@mattmoor
Copy link

mattmoor commented Jul 15, 2022

I came here to suggest y'all sign stuff with cosign, and found this PR! FWIW, I use metallb a fair amount and would love to see this land.

@jtcarnes jtcarnes force-pushed the add-cosign branch 2 times, most recently from 249ae06 to 70dcd90 Compare July 15, 2022 07:36
@fedepaol @jtcarnes
Sign images with cosign on release
731b703 
To enable artifact attestation, the images are signed with cosign using
the github pipelines oidc token. This makes it easy for artifacts to be
verified by external users and is a standard that kubernetes is centering
on.

Signed-off-by: Joshua Carnes <56089764+jtcarnes@users.noreply.github.com>
@fedepaol
Copy link
Member

fedepaol commented Jul 17, 2022

LGTM, I am gonna test the full release process against my fork tomorrow before merging

@fedepaol
Copy link
Member

fedepaol commented Jul 18, 2022

Tested on my fork: https://github.com/fedepaol/metallb/actions/runs/2689838188
Images are published and quay shows them as cosigned.

@fedepaol fedepaol merged commit 6fdd197 into metallb:main Jul 18, 2022
fedepaol added a commit to fedepaol/metallb that referenced this pull request Jul 18, 2022
@fedepaol
Release notes: add cosigned images
8f1b837 
Adding a mention to metallb#1437

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol fedepaol mentioned this pull request Jul 18, 2022
Merged
fedepaol added a commit that referenced this pull request Jul 19, 2022
@fedepaol
Release notes: add cosigned images
31aba99 
Adding a mention to #1437

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
fedepaol added a commit that referenced this pull request Jul 20, 2022
@fedepaol
Release notes: add cosigned images
a166bf9 
Adding a mention to #1437

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
pperiyasamy pushed a commit to pperiyasamy/metallb that referenced this pull request Aug 17, 2022
@fedepaol @pperiyasamy
Release notes: add cosigned images
1cb8c3b 
Adding a mention to metallb#1437

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
pperiyasamy pushed a commit to pperiyasamy/metallb that referenced this pull request Sep 6, 2022
@fedepaol @pperiyasamy
Release notes: add cosigned images
dbef888 
Adding a mention to metallb#1437

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
pperiyasamy pushed a commit to pperiyasamy/metallb that referenced this pull request Sep 7, 2022
@fedepaol @pperiyasamy
Release notes: add cosigned images
8a10e84 
Adding a mention to metallb#1437

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@cprivitere cprivitere mentioned this pull request Oct 12, 2022
Closed
@eyenx eyenx mentioned this pull request Oct 19, 2022
Merged
6 tasks
novad03 pushed a commit to novad03/k8s-meta that referenced this pull request Nov 25, 2023
@fedepaol
Release notes: add cosigned images
c464eb0 
Adding a mention to metallb/metallb#1437

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fedepaol fedepaol Awaiting requested review from fedepaol fedepaol is a code owner

@johananl johananl Awaiting requested review from johananl

@rata rata Awaiting requested review from rata

@russellb russellb Awaiting requested review from russellb

@gclawes gclawes Awaiting requested review from gclawes

@oribon oribon Awaiting requested review from oribon oribon is a code owner

1 more reviewer

@mattmoor mattmoor mattmoor left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Suggestion: Sign published images with Sigstore/Cosign

3 participants

@jtcarnes @mattmoor @fedepaol