-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial attestations support #2935
Conversation
d11f29d
to
2c364d7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work! Just a few initial thoughts... :)
Not quite sure how this model would interact with tooling that generates a lot of attestations. One possible way might be to allow grouping attestations together into layers, though I'm not quite sure the mechanics of the API that would use. |
Another complexity that's come up that we might want to investigate - we might want to have the capacity to have scanners able to analyze individual layers - so for that we might want to expose the ability to create attestations about single layers. Exactly how a scanner might create these attestations feels like something that's up to each scanner, and the interface that gets defined for that, but the storage format is something to maybe work out sooner. We could potentially allow attaching attestations to arbitrary |
One use-case would be to produce attestations about what buildkit itself does, i.e. for a |
Based on discussions, a couple notes:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One thing I might have forgotten in some descriptions is that attestations shouldn't be only for image-based exporter. They should also work with local/tar exporter by creating additional files. So currently some code being under containerimage pkg might not be fully correct.
To create the additional files there needs to be some logic for naming them. It is similar to the predicate type, but maybe not exactly the same value? Also I think in these cases it may be more common that in-toto wrapping is optional. Eg. lets say I export local binary with provenance and SBOM attestation that both are exported as a separate file. Provenance is only defined via in-toto so doesn't make much sense to split it out but for SBOM I might expect to have a file with just the SBOM data. Maybe it is fine if all our defaults are in in-toto wrapping for now.
If it complicates things we can pick this part up in a follow up but a thing to consider when choosing the code location and proto types.
package exptypes | ||
|
||
const ( | ||
MediaTypeDockerSchema2AttestationType = "application/vnd.in-toto+json" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might want to sync with the containerd people on what to call this - since we'll need to get this to be recognized, or we'll see the the "reference for unknown type: application/vnd.in-toto+json"
warning from https://github.com/jedevc/buildkit/blob/wip-attestations-sbom/vendor/github.com/containerd/containerd/remotes/handlers.go#L83
In the meantime, not quite sure where these media type definitions belong...
2471252
to
c651b95
Compare
I'm happy with the state of this now 😄 A couple of follow-ups will likely be necessary: adding support for other exporters (e.g. tar/local), clean-up of conversions between different |
As discussed with @tonistiigi, to keep the scope of this PR low, a list of the planned follow-ups:
|
message Subject { | ||
message SelfSubject { | ||
} | ||
message RawSubject { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if allowing RawSubject
isn't a security concern actually. If we let the frontend to claim that attestation is for a random digest there is no way BuildKit can validate this is any way.
It is possible we should only allow attesting data when we can prove how it was built. Or at least we should make it so that it is clear that this subject is not allowed to point to any container objects so validators know that this is not to be trusted.
Something to pick up again on follow-ups.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it depends on the security model that users are running buildkit under - but agreed.
We can revisit this, I think we could work round the need for a RawSubject
by allowing attesting to individual files (composed of a Ref
+ Path
), with something like a FileSubject
which is the main other use I can see.
message InToto { | ||
string predicateType = 1; | ||
Ref predicateRef = 2; | ||
string predicatePath = 3; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Follow-up: as discussed for SBOMs we should have a way that this path can point to a list of attestations. So SBOM generator can generate multiple SBOMs with a single invocation that are listed in a file and BuildKit will create an independent attestation record for each file.
Introduce attestations message structures to protobuf. Each result can contain multiple attestations, keyed by the platform they apply to. Each attestation has a predicate type, a ref+path to the predicate content, and a selection of subjects, which can either be freeform name + digest fields, or the resulting image manifest for the target. Signed-off-by: Justin Chadwell <me@jedevc.com>
This patch connects the raw protobuf attestations through to the gateway clients and servers, ensuring that the results are properly passed through correctly, and that the appropriate refs are correctly cleaned up. Signed-off-by: Justin Chadwell <me@jedevc.com>
Connect the attestations output from the frontend outputs into the exporters, allowing the containerimage-based exporters to correctly create in-toto attestations according to OCI reference-types Proposal F. Attestations are grouped per-platform, and placed into manifests that reference their targets - each layer in these manifests contain a custom in-toto media type with the raw attestation content. Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
The image info registry helpers provide utilities for reading content from providers such as registries which can be easily used to inspect image content. This is an alternative to requiring the containerd puller, or exporting as an oci tarball. By moving the helpers into testutil, we allow other testing components to utilize the helpers, instead of just the dockerfile tests. Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
This will eventually clients to query the server to confirm if attestations are supported. However, for now, we can keep it disabled until the gateway api stabilizes. Signed-off-by: Justin Chadwell <me@jedevc.com>
This PR introduces support for in-toto attestations, as specified in part 1 of #2773 (comment).
This is dependent on #2929, and includes a commit from there to better handle garbage collection of attestation refs.
In it's current state, this is a first-pass - and some things are expected to change before merge:
encountered unknown type ... children may not be fetched
messages.none/none