Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign released images #907

Closed
imjasonh opened this issue Oct 18, 2021 · 2 comments
Closed

Sign released images #907

imjasonh opened this issue Oct 18, 2021 · 2 comments
Assignees
@imjasonh
Labels
kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt.
Milestone
release-v0.7.0

Comments

@imjasonh
Copy link
Contributor

The images that Shipwright Build builds and releases (to run the controller, etc.) should be signed during release, so that operators installing those images can verify they were built by us, and from which commit.

Since our releases run on GitHub Actions, we can take advantage of their OIDC support to provide an identity for the workflow. The cosign repo demonstrates this here: https://github.com/sigstore/cosign/blob/main/.github/workflows/github-oidc.yaml (docs here). This flow is experimental, but in my experience works really smoothly, and is probably unlikely to change in many breaking ways.

/assign imjasonh
@imjasonh
Copy link
Contributor Author

imjasonh commented Oct 18, 2021
edited
Loading

I've played around with this a bit today and got it mostly working: https://github.com/imjasonh/build-1/runs/3930737195 (config)

And the image can be verified:

$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/imjasonh/imjasonh/build-1/shipwright-build-controller:nightly-2021-10-18-1634583545-debug
Verification for ghcr.io/imjasonh/imjasonh/build-1/shipwright-build-controller:nightly-2021-10-18-1634583545-debug --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.
Certificate subject:  []
{"critical":{"identity":{"docker-reference":"ghcr.io/imjasonh/imjasonh/build-1/shipwright-build-controller"},"image":{"docker-manifest-digest":"sha256:a83699db657709aa58e41665e856edbd5acb51c3956c216e2a63ca5c74c38288"},"type":"cosign container image signature"},"optional":{"sha":"90e1cd554380299e5e8cbf0c1774dcdc32553c80"}}

You can see here that the signature claims it was built from commit SHA imjasonh@90e1cd5, which indeed it was. I could also claim the workflow run that produced it (${{github.run_id}} and ${{github.run_attempt}}), which could help a verifier see logs of how/when the image was built.

Some caveats:

  • Signatures are stored in an OCI registry alongside the image, and quay.io does not currently support pushing cosign signatures. In my demo I pushed to ghcr.io. If we're comfortable moving our upstream release artifacts into GitHub I'd be happy to make that change as well.

This was referenced Oct 25, 2021
Closed
Merged
This was referenced Nov 5, 2021
Merged
Closed
@adambkaplan adambkaplan added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Nov 17, 2021
@adambkaplan adambkaplan added this to the release-v0.7.0 milestone Nov 17, 2021
@SaschaSchwarze0
Copy link
Member

PR is merged.

@adambkaplan adambkaplan mentioned this issue Jan 26, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@imjasonh imjasonh

Labels
kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt.
Projects
None yet
Milestone
release-v0.7.0
Development

No branches or pull requests
3 participants
@imjasonh @adambkaplan @SaschaSchwarze0