You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The images that Shipwright Build builds and releases (to run the controller, etc.) should be signed during release, so that operators installing those images can verify they were built by us, and from which commit.
Since our releases run on GitHub Actions, we can take advantage of their OIDC support to provide an identity for the workflow. The cosign repo demonstrates this here: https://github.com/sigstore/cosign/blob/main/.github/workflows/github-oidc.yaml (docs here). This flow is experimental, but in my experience works really smoothly, and is probably unlikely to change in many breaking ways.
/assign imjasonh
The text was updated successfully, but these errors were encountered:
$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/imjasonh/imjasonh/build-1/shipwright-build-controller:nightly-2021-10-18-1634583545-debug
Verification for ghcr.io/imjasonh/imjasonh/build-1/shipwright-build-controller:nightly-2021-10-18-1634583545-debug --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- Any certificates were verified against the Fulcio roots.
Certificate subject: []
{"critical":{"identity":{"docker-reference":"ghcr.io/imjasonh/imjasonh/build-1/shipwright-build-controller"},"image":{"docker-manifest-digest":"sha256:a83699db657709aa58e41665e856edbd5acb51c3956c216e2a63ca5c74c38288"},"type":"cosign container image signature"},"optional":{"sha":"90e1cd554380299e5e8cbf0c1774dcdc32553c80"}}
You can see here that the signature claims it was built from commit SHA imjasonh@90e1cd5, which indeed it was. I could also claim the workflow run that produced it (${{github.run_id}} and ${{github.run_attempt}}), which could help a verifier see logs of how/when the image was built.
Some caveats:
Signatures are stored in an OCI registry alongside the image, and quay.io does not currently support pushing cosign signatures. In my demo I pushed to ghcr.io. If we're comfortable moving our upstream release artifacts into GitHub I'd be happy to make that change as well.
The images that Shipwright Build builds and releases (to run the controller, etc.) should be signed during release, so that operators installing those images can verify they were built by us, and from which commit.
Since our releases run on GitHub Actions, we can take advantage of their OIDC support to provide an identity for the workflow. The cosign repo demonstrates this here: https://github.com/sigstore/cosign/blob/main/.github/workflows/github-oidc.yaml (docs here). This flow is experimental, but in my experience works really smoothly, and is probably unlikely to change in many breaking ways.
/assign imjasonh
The text was updated successfully, but these errors were encountered: