Skip to content

Fulcio signing in Chains#147

Merged
tekton-robot merged 1 commit into
tektoncd:mainfrom
priyawadhwa:fulcio
Jul 21, 2021
Merged

Fulcio signing in Chains#147
tekton-robot merged 1 commit into
tektoncd:mainfrom
priyawadhwa:fulcio

Conversation

@priyawadhwa

@priyawadhwa priyawadhwa commented Jul 20, 2021

Copy link
Copy Markdown
Contributor

built off of and resolved merge conflict in #119

This PR adds support for signing with a cert from Fulcio & stores the cert alongside the signature for each backend

sample completed TaskRun:

Details
$ kubectl get tr build-push-run-output-image-dddkm -o yaml
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  annotations:
    chains.tekton.dev/cert-05f95b26ed10: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQWllZ0F3SUJBZ0lUTXl5aXpLWlpvRFN3TGpWNEFlbXdsdUdqeHpBS0JnZ3Foa2pPUFFRREF6QXEKTVJVd0V3WURWUVFLRXd4emFXZHpkRzl5WlM1a1pYWXhFVEFQQmdOVkJBTVRDSE5wWjNOMGIzSmxNQjRYRFRJeApNRGN5TURFME1Ea3pNbG9YRFRJeE1EY3lNREUwTWprek1Wb3dBREJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5CkF3RUhBMElBQkxTdkJxR0Q0cjJTQUt1YVVuQi9qN0lPU2svalpGcXgxUXV4L2p1QWJyeWZmNVhNaVgrd3hKbzkKMlkzaXpFSm1BcFpWamw1SmVtUks1aDlublZ5ZXNzR2pnZ0ZVTUlJQlVEQU9CZ05WSFE4QkFmOEVCQU1DQjRBdwpFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd013REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVxK0ttCjVGc2cyUnlRRHdCWkl2b3pGUHRoeldZd0h3WURWUjBqQkJnd0ZvQVV5TVVkQUVHYUpDa3lVU1RyRGE1SzdVb0cKMCt3d2dZMEdDQ3NHQVFVRkJ3RUJCSUdBTUg0d2ZBWUlLd1lCQlFVSE1BS0djR2gwZEhBNkx5OXdjbWwyWVhSbApZMkV0WTI5dWRHVnVkQzAyTURObVpUZGxOeTB3TURBd0xUSXlNamN0WW1ZM05TMW1OR1kxWlRnd1pESTVOVFF1CmMzUnZjbUZuWlM1bmIyOW5iR1ZoY0dsekxtTnZiUzlqWVRNMllURmxPVFl5TkRKaU9XWmpZakUwTmk5allTNWoKY25Rd1N3WURWUjBSQVFIL0JFRXdQNEU5ZEdWcmRHOXVMV05vWVdsdWN5MWpiMjUwY205c2JHVnlRSEJ5YVhsaApMWGRoWkdoM1lTNXBZVzB1WjNObGNuWnBZMlZoWTJOdmRXNTBMbU52YlRBS0JnZ3Foa2pPUFFRREF3Tm5BREJrCkFqQXhPWW5KUVhVYXQ0b3c1eXQ3ankySWFYS0JlNWp4MjQwVkthWWdzMFdGeEhxL1JqSDZ1MnN1WDV5UzlDTUMKR2VrQ01Ia1AxNDExcjViVmlaWFRtY2ZvalJsMWxsLzVXYnFQMmdRbG9mMHM0YzZXTVF0M3lxeU54NXkzcjFUQgpCaTAxS3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    chains.tekton.dev/cert-taskrun-62058488-0a64-44a4-8d81-21be1f4155b9: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQWllZ0F3SUJBZ0lUTXl5aXpLWlpvRFN3TGpWNEFlbXdsdUdqeHpBS0JnZ3Foa2pPUFFRREF6QXEKTVJVd0V3WURWUVFLRXd4emFXZHpkRzl5WlM1a1pYWXhFVEFQQmdOVkJBTVRDSE5wWjNOMGIzSmxNQjRYRFRJeApNRGN5TURFME1Ea3pNbG9YRFRJeE1EY3lNREUwTWprek1Wb3dBREJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5CkF3RUhBMElBQkxTdkJxR0Q0cjJTQUt1YVVuQi9qN0lPU2svalpGcXgxUXV4L2p1QWJyeWZmNVhNaVgrd3hKbzkKMlkzaXpFSm1BcFpWamw1SmVtUks1aDlublZ5ZXNzR2pnZ0ZVTUlJQlVEQU9CZ05WSFE4QkFmOEVCQU1DQjRBdwpFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd013REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVxK0ttCjVGc2cyUnlRRHdCWkl2b3pGUHRoeldZd0h3WURWUjBqQkJnd0ZvQVV5TVVkQUVHYUpDa3lVU1RyRGE1SzdVb0cKMCt3d2dZMEdDQ3NHQVFVRkJ3RUJCSUdBTUg0d2ZBWUlLd1lCQlFVSE1BS0djR2gwZEhBNkx5OXdjbWwyWVhSbApZMkV0WTI5dWRHVnVkQzAyTURObVpUZGxOeTB3TURBd0xUSXlNamN0WW1ZM05TMW1OR1kxWlRnd1pESTVOVFF1CmMzUnZjbUZuWlM1bmIyOW5iR1ZoY0dsekxtTnZiUzlqWVRNMllURmxPVFl5TkRKaU9XWmpZakUwTmk5allTNWoKY25Rd1N3WURWUjBSQVFIL0JFRXdQNEU5ZEdWcmRHOXVMV05vWVdsdWN5MWpiMjUwY205c2JHVnlRSEJ5YVhsaApMWGRoWkdoM1lTNXBZVzB1WjNObGNuWnBZMlZoWTJOdmRXNTBMbU52YlRBS0JnZ3Foa2pPUFFRREF3Tm5BREJrCkFqQXhPWW5KUVhVYXQ0b3c1eXQ3ankySWFYS0JlNWp4MjQwVkthWWdzMFdGeEhxL1JqSDZ1MnN1WDV5UzlDTUMKR2VrQ01Ia1AxNDExcjViVmlaWFRtY2ZvalJsMWxsLzVXYnFQMmdRbG9mMHM0YzZXTVF0M3lxeU54NXkzcjFUQgpCaTAxS3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    chains.tekton.dev/payload-05f95b26ed10: eyJDcml0aWNhbCI6eyJJZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiZ2NyLmlvL2Zvby9iYXIifSwiSW1hZ2UiOnsiRG9ja2VyLW1hbmlmZXN0LWRpZ2VzdCI6InNoYTI1NjowNWY5NWIyNmVkMTA2NjhiNzE4M2MxZTJkYTk4NjEwZTkxMzcyZmE5ZjUxMDA0NmQ0Y2U1ODEyYWRkYWQ4NmI1In0sIlR5cGUiOiJUZWt0b24gY29udGFpbmVyIHNpZ25hdHVyZSJ9LCJPcHRpb25hbCI6e319
    chains.tekton.dev/payload-taskrun-62058488-0a64-44a4-8d81-21be1f4155b9: eyJjb25kaXRpb25zIjpbeyJ0eXBlIjoiU3VjY2VlZGVkIiwic3RhdHVzIjoiVHJ1ZSIsImxhc3RUcmFuc2l0aW9uVGltZSI6IjIwMjEtMDctMjBUMTQ6MDk6MzFaIiwicmVhc29uIjoiU3VjY2VlZGVkIiwibWVzc2FnZSI6IkFsbCBTdGVwcyBoYXZlIGNvbXBsZXRlZCBleGVjdXRpbmcifV0sInBvZE5hbWUiOiJidWlsZC1wdXNoLXJ1bi1vdXRwdXQtaW1hZ2UtZGRka20tcG9kLTdoenhqIiwic3RhcnRUaW1lIjoiMjAyMS0wNy0yMFQxNDowOToxOVoiLCJjb21wbGV0aW9uVGltZSI6IjIwMjEtMDctMjBUMTQ6MDk6MzFaIiwic3RlcHMiOlt7InRlcm1pbmF0ZWQiOnsiZXhpdENvZGUiOjAsInJlYXNvbiI6IkNvbXBsZXRlZCIsInN0YXJ0ZWRBdCI6IjIwMjEtMDctMjBUMTQ6MDk6MjZaIiwiZmluaXNoZWRBdCI6IjIwMjEtMDctMjBUMTQ6MDk6MjZaIiwiY29udGFpbmVySUQiOiJkb2NrZXI6Ly9lMGYxZmJkNTk1ZWMzYmI1YjQxNDk4MTEzOTRiYTMyZmYwZGRlOGI0NDliYTcyYzNkNDkzZWJiMDU5ZWM2Yjc2In0sIm5hbWUiOiJjcmVhdGUtZGlyLWJ1aWx0aW1hZ2UtbTVnbjUiLCJjb250YWluZXIiOiJzdGVwLWNyZWF0ZS1kaXItYnVpbHRpbWFnZS1tNWduNSIsImltYWdlSUQiOiJkb2NrZXItcHVsbGFibGU6Ly9nY3IuaW8vZGlzdHJvbGVzcy9iYXNlQHNoYTI1NjphYTRmZDk4NzU1NWVhMTBlMWE0ZWM4NzY1ZGE4MTU4YjVmZmRmZWYxZTcyZGE1MTJjN2VkZTUwOWJjOTk2NmM0In0seyJ0ZXJtaW5hdGVkIjp7ImV4aXRDb2RlIjowLCJyZWFzb24iOiJDb21wbGV0ZWQiLCJtZXNzYWdlIjoiW3tcImtleVwiOlwiY29tbWl0XCIsXCJ2YWx1ZVwiOlwiNmVkN2FhZDVlOGEzNjA1MmVlNWY2MDc5ZmM5MTM2OGUzNjIxMjFmN1wiLFwicmVzb3VyY2VOYW1lXCI6XCJzb3VyY2VyZXBvXCIsXCJyZXNvdXJjZVJlZlwiOntcIm5hbWVcIjpcInNvdXJjZXJlcG9cIn19LHtcImtleVwiOlwidXJsXCIsXCJ2YWx1ZVwiOlwiaHR0cHM6Ly9naXRodWIuY29tL0dvb2dsZUNvbnRhaW5lclRvb2xzL3NrYWZmb2xkXCIsXCJyZXNvdXJjZU5hbWVcIjpcInNvdXJjZXJlcG9cIixcInJlc291cmNlUmVmXCI6e1wibmFtZVwiOlwic291cmNlcmVwb1wifX1dIiwic3RhcnRlZEF0IjoiMjAyMS0wNy0yMFQxNDowOToyNloiLCJmaW5pc2hlZEF0IjoiMjAyMS0wNy0yMFQxNDowOToyOVoiLCJjb250YWluZXJJRCI6ImRvY2tlcjovL2NkZTU5NTU0MWJiNWVhMmFiZWYyZjc0OWMyM2ZiZGQ3MzU3MTc0YzIxMGQ3NGIzODNmMTUzOWZkNzg2OWJiZWQifSwibmFtZSI6ImdpdC1zb3VyY2Utc291cmNlcmVwby1xNXNzZCIsImNvbnRhaW5lciI6InN0ZXAtZ2l0LXNvdXJjZS1zb3VyY2VyZXBvLXE1c3NkIiwiaW1hZ2VJRCI6ImRvY2tlci1wdWxsYWJsZTovL2djci5pby90ZWt0b24tcmVsZWFzZXMvZ2l0aHViLmNvbS90ZWt0b25jZC9waXBlbGluZS9jbWQvZ2l0LWluaXRAc2hhMjU2OmI5NjNmNmU3YTY5NjE3ZGI1N2I2ODU4OTMyNTZmOTc4NDM2Mjc3MDk0YzIxZDQzYjE1Mzk5NGFjZDhhMDEyNDcifSx7InRlcm1pbmF0ZWQiOnsiZXhpdENvZGUiOjAsInJlYXNvbiI6IkNvbXBsZXRlZCIsInN0YXJ0ZWRBdCI6IjIwMjEtMDctMjBUMTQ6MDk6MzBaIiwiZmluaXNoZWRBdCI6IjIwMjEtMDctMjBUMTQ6MDk6MzBaIiwiY29udGFpbmVySUQiOiJkb2NrZXI6Ly8wNDhmZWM2YTQ4YmViMTk3MmFiMjZiNDgyOTlhZmJjNjJkMmQzNzE4NmQwNzVmZDZiN2MzNzljN2YzMmQwOGM2In0sIm5hbWUiOiJidWlsZC1hbmQtcHVzaCIsImNvbnRhaW5lciI6InN0ZXAtYnVpbGQtYW5kLXB1c2giLCJpbWFnZUlEIjoiZG9ja2VyLXB1bGxhYmxlOi8vYnVzeWJveEBzaGEyNTY6MGYzNTRlYzE3MjhkOWZmMzJlZGNkN2QxYjhiYmRmYzc5ODI3N2FkMzYxMjBkYzNkYzY4M2JlNDQ1MjRjOGI2MCJ9LHsidGVybWluYXRlZCI6eyJleGl0Q29kZSI6MCwicmVhc29uIjoiQ29tcGxldGVkIiwic3RhcnRlZEF0IjoiMjAyMS0wNy0yMFQxNDowOTozMFoiLCJmaW5pc2hlZEF0IjoiMjAyMS0wNy0yMFQxNDowOTozMFoiLCJjb250YWluZXJJRCI6ImRvY2tlcjovL2FlZTMwOGI2ZGMyN2NhZDY5N2U5MDgwMWQ1MjdiNDdhMWQwYTA2ZTgwN2YzZGJhZThlZDdhOGNhNTQyZWMxNjkifSwibmFtZSI6ImVjaG8iLCJjb250YWluZXIiOiJzdGVwLWVjaG8iLCJpbWFnZUlEIjoiZG9ja2VyLXB1bGxhYmxlOi8vYnVzeWJveEBzaGEyNTY6MGYzNTRlYzE3MjhkOWZmMzJlZGNkN2QxYjhiYmRmYzc5ODI3N2FkMzYxMjBkYzNkYzY4M2JlNDQ1MjRjOGI2MCJ9LHsidGVybWluYXRlZCI6eyJleGl0Q29kZSI6MCwicmVhc29uIjoiQ29tcGxldGVkIiwibWVzc2FnZSI6Ilt7XCJrZXlcIjpcImRpZ2VzdFwiLFwidmFsdWVcIjpcInNoYTI1NjowNWY5NWIyNmVkMTA2NjhiNzE4M2MxZTJkYTk4NjEwZTkxMzcyZmE5ZjUxMDA0NmQ0Y2U1ODEyYWRkYWQ4NmI1XCIsXCJyZXNvdXJjZU5hbWVcIjpcImJ1aWx0SW1hZ2VcIixcInJlc291cmNlUmVmXCI6e1wibmFtZVwiOlwiYnVpbHRJbWFnZVwifX0se1wia2V5XCI6XCJ1cmxcIixcInZhbHVlXCI6XCJnY3IuaW8vZm9vL2JhclwiLFwicmVzb3VyY2VOYW1lXCI6XCJidWlsdEltYWdlXCIsXCJyZXNvdXJjZVJlZlwiOntcIm5hbWVcIjpcImJ1aWx0SW1hZ2VcIn19XSIsInN0YXJ0ZWRBdCI6IjIwMjEtMDctMjBUMTQ6MDk6MzBaIiwiZmluaXNoZWRBdCI6IjIwMjEtMDctMjBUMTQ6MDk6MzBaIiwiY29udGFpbmVySUQiOiJkb2NrZXI6Ly9hZDA4YTE1MTlhNDQ4NTQ2NmNkNGFlZGZmZDYzZmM0ZmMyOTYyZTU3MjU5NDBhZDE0MzUyZDQ4YjE5M2Y0YzU3In0sIm5hbWUiOiJpbWFnZS1kaWdlc3QtZXhwb3J0ZXItd201OTQiLCJjb250YWluZXIiOiJzdGVwLWltYWdlLWRpZ2VzdC1leHBvcnRlci13bTU5NCIsImltYWdlSUQiOiJkb2NrZXItcHVsbGFibGU6Ly9nY3IuaW8vdGVrdG9uLXJlbGVhc2VzL2dpdGh1Yi5jb20vdGVrdG9uY2QvcGlwZWxpbmUvY21kL2ltYWdlZGlnZXN0ZXhwb3J0ZXJAc2hhMjU2OjVjYWI5ZjM5YzVjNjBmM2I1NzYyNDI2YTg0ZDM2M2E3NTY5ODc4ZmE3NjQyYjVlZmUyOTVjMzhjNjM3YjBhNmYifV0sInJlc291cmNlc1Jlc3VsdCI6W3sia2V5IjoiY29tbWl0IiwidmFsdWUiOiI2ZWQ3YWFkNWU4YTM2MDUyZWU1ZjYwNzlmYzkxMzY4ZTM2MjEyMWY3IiwicmVzb3VyY2VOYW1lIjoic291cmNlcmVwbyIsInJlc291cmNlUmVmIjp7Im5hbWUiOiJzb3VyY2VyZXBvIn19LHsia2V5IjoidXJsIiwidmFsdWUiOiJodHRwczovL2dpdGh1Yi5jb20vR29vZ2xlQ29udGFpbmVyVG9vbHMvc2thZmZvbGQiLCJyZXNvdXJjZU5hbWUiOiJzb3VyY2VyZXBvIiwicmVzb3VyY2VSZWYiOnsibmFtZSI6InNvdXJjZXJlcG8ifX0seyJrZXkiOiJkaWdlc3QiLCJ2YWx1ZSI6InNoYTI1NjowNWY5NWIyNmVkMTA2NjhiNzE4M2MxZTJkYTk4NjEwZTkxMzcyZmE5ZjUxMDA0NmQ0Y2U1ODEyYWRkYWQ4NmI1IiwicmVzb3VyY2VOYW1lIjoiYnVpbHRJbWFnZSIsInJlc291cmNlUmVmIjp7Im5hbWUiOiJidWlsdEltYWdlIn19LHsia2V5IjoidXJsIiwidmFsdWUiOiJnY3IuaW8vZm9vL2JhciIsInJlc291cmNlTmFtZSI6ImJ1aWx0SW1hZ2UiLCJyZXNvdXJjZVJlZiI6eyJuYW1lIjoiYnVpbHRJbWFnZSJ9fV0sInRhc2tTcGVjIjp7InJlc291cmNlcyI6eyJpbnB1dHMiOlt7Im5hbWUiOiJzb3VyY2VyZXBvIiwidHlwZSI6ImdpdCJ9XSwib3V0cHV0cyI6W3sibmFtZSI6ImJ1aWx0SW1hZ2UiLCJ0eXBlIjoiaW1hZ2UiLCJ0YXJnZXRQYXRoIjoiL3dvcmtzcGFjZS9zb3VyY2VyZXBvIn1dfSwic3RlcHMiOlt7Im5hbWUiOiJidWlsZC1hbmQtcHVzaCIsImltYWdlIjoiYnVzeWJveCIsInJlc291cmNlcyI6e30sInNjcmlwdCI6InNldCAtZVxuY2F0IFx1MDAzY1x1MDAzY0VPRiBcdTAwM2UgJChpbnB1dHMucmVzb3VyY2VzLnNvdXJjZXJlcG8ucGF0aCkvaW5kZXguanNvblxue1xuXCJzY2hlbWFWZXJzaW9uXCI6IDIsXG5cIm1hbmlmZXN0c1wiOiBbXG4gICAge1xuICAgIFwibWVkaWFUeXBlXCI6IFwiYXBwbGljYXRpb24vdm5kLm9jaS5pbWFnZS5pbmRleC52MStqc29uXCIsXG4gICAgXCJzaXplXCI6IDMxNCxcbiAgICBcImRpZ2VzdFwiOiBcInNoYTI1NjowNWY5NWIyNmVkMTA2NjhiNzE4M2MxZTJkYTk4NjEwZTkxMzcyZmE5ZjUxMDA0NmQ0Y2U1ODEyYWRkYWQ4NmI1XCJcbiAgICB9XG5dXG59XG4ifSx7Im5hbWUiOiJlY2hvIiwiaW1hZ2UiOiJidXN5Ym94IiwicmVzb3VyY2VzIjp7fSwic2NyaXB0IjoiY2F0ICQoaW5wdXRzLnJlc291cmNlcy5zb3VyY2VyZXBvLnBhdGgpL2luZGV4Lmpzb24ifV19fQ==
    chains.tekton.dev/signature-05f95b26ed10: MEQCICfGvNIDtL2OMTMAVW9XObeKcCnjXFRK5pKgLcWVDPPeAiAM9Ilit1A5144FgYbqiztFyq9YHpBA8/9gCRh5YaTKBQ==
    chains.tekton.dev/signature-taskrun-62058488-0a64-44a4-8d81-21be1f4155b9: MEYCIQCOnBw6EiqnAuxUAaENLzVMyIldO73PuwIgL8xL2aGulAIhAKpS7jpcmBNAWA5AleFFc57HvehpqkuXLqGLg+PkyCwK
    chains.tekton.dev/signed: "true"
    pipeline.tekton.dev/release: v0.25.0
  creationTimestamp: "2021-07-20T14:09:19Z"
  generateName: build-push-run-output-image-
  generation: 1
  labels:
    app.kubernetes.io/managed-by: tekton-pipelines
  managedFields:
  - apiVersion: tekton.dev/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:generateName: {}
      f:spec:
        .: {}
        f:resources:
          .: {}
          f:inputs: {}
          f:outputs: {}
        f:serviceAccountName: {}
        f:taskSpec:
          .: {}
          f:resources:
            .: {}
            f:inputs: {}
            f:outputs: {}
          f:steps: {}
    manager: kubectl-create
    operation: Update
    time: "2021-07-20T14:09:19Z"
  - apiVersion: tekton.dev/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:chains.tekton.dev/cert-05f95b26ed10: {}
          f:chains.tekton.dev/cert-taskrun-62058488-0a64-44a4-8d81-21be1f4155b9: {}
          f:chains.tekton.dev/payload-05f95b26ed10: {}
          f:chains.tekton.dev/payload-taskrun-62058488-0a64-44a4-8d81-21be1f4155b9: {}
          f:chains.tekton.dev/signature-05f95b26ed10: {}
          f:chains.tekton.dev/signature-taskrun-62058488-0a64-44a4-8d81-21be1f4155b9: {}
          f:chains.tekton.dev/signed: {}
          f:pipeline.tekton.dev/release: {}
      f:status:
        .: {}
        f:completionTime: {}
        f:conditions: {}
        f:podName: {}
        f:resourcesResult: {}
        f:startTime: {}
        f:steps: {}
        f:taskSpec:
          .: {}
          f:resources:
            .: {}
            f:inputs: {}
            f:outputs: {}
          f:steps: {}
    manager: controller
    operation: Update
    time: "2021-07-20T14:09:32Z"
  name: build-push-run-output-image-dddkm
  namespace: default
  resourceVersion: "70771172"
  selfLink: /apis/tekton.dev/v1beta1/namespaces/default/taskruns/build-push-run-output-image-dddkm
  uid: 62058488-0a64-44a4-8d81-21be1f4155b9
spec:
  resources:
    inputs:
    - name: sourcerepo
      resourceSpec:
        params:
        - name: revision
          value: v0.32.0
        - name: url
          value: https://github.com/GoogleContainerTools/skaffold
        type: git
    outputs:
    - name: builtImage
      resourceSpec:
        params:
        - name: url
          value: gcr.io/foo/bar
        type: image
  serviceAccountName: default
  taskSpec:
    resources:
      inputs:
      - name: sourcerepo
        type: git
      outputs:
      - name: builtImage
        targetPath: /workspace/sourcerepo
        type: image
    steps:
    - image: busybox
      name: build-and-push
      resources: {}
      script: |
        set -e
        cat <<EOF > $(inputs.resources.sourcerepo.path)/index.json
        {
        "schemaVersion": 2,
        "manifests": [
            {
            "mediaType": "application/vnd.oci.image.index.v1+json",
            "size": 314,
            "digest": "sha256:05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b5"
            }
        ]
        }
    - image: busybox
      name: echo
      resources: {}
      script: cat $(inputs.resources.sourcerepo.path)/index.json
  timeout: 1h0m0s
status:
  completionTime: "2021-07-20T14:09:31Z"
  conditions:
  - lastTransitionTime: "2021-07-20T14:09:31Z"
    message: All Steps have completed executing
    reason: Succeeded
    status: "True"
    type: Succeeded
  podName: build-push-run-output-image-dddkm-pod-7hzxj
  resourcesResult:
  - key: commit
    resourceName: sourcerepo
    resourceRef:
      name: sourcerepo
    value: 6ed7aad5e8a36052ee5f6079fc91368e362121f7
  - key: url
    resourceName: sourcerepo
    resourceRef:
      name: sourcerepo
    value: https://github.com/GoogleContainerTools/skaffold
  - key: digest
    resourceName: builtImage
    resourceRef:
      name: builtImage
    value: sha256:05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b5
  - key: url
    resourceName: builtImage
    resourceRef:
      name: builtImage
    value: gcr.io/foo/bar
  startTime: "2021-07-20T14:09:19Z"
  steps:
  - container: step-create-dir-builtimage-m5gn5
    imageID: docker-pullable://gcr.io/distroless/base@sha256:aa4fd987555ea10e1a4ec8765da8158b5ffdfef1e72da512c7ede509bc9966c4
    name: create-dir-builtimage-m5gn5
    terminated:
      containerID: docker://e0f1fbd595ec3bb5b4149811394ba32ff0dde8b449ba72c3d493ebb059ec6b76
      exitCode: 0
      finishedAt: "2021-07-20T14:09:26Z"
      reason: Completed
      startedAt: "2021-07-20T14:09:26Z"
  - container: step-git-source-sourcerepo-q5ssd
    imageID: docker-pullable://gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init@sha256:b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247
    name: git-source-sourcerepo-q5ssd
    terminated:
      containerID: docker://cde595541bb5ea2abef2f749c23fbdd7357174c210d74b383f1539fd7869bbed
      exitCode: 0
      finishedAt: "2021-07-20T14:09:29Z"
      message: '[{"key":"commit","value":"6ed7aad5e8a36052ee5f6079fc91368e362121f7","resourceName":"sourcerepo","resourceRef":{"name":"sourcerepo"}},{"key":"url","value":"https://github.com/GoogleContainerTools/skaffold","resourceName":"sourcerepo","resourceRef":{"name":"sourcerepo"}}]'
      reason: Completed
      startedAt: "2021-07-20T14:09:26Z"
  - container: step-build-and-push
    imageID: docker-pullable://busybox@sha256:0f354ec1728d9ff32edcd7d1b8bbdfc798277ad36120dc3dc683be44524c8b60
    name: build-and-push
    terminated:
      containerID: docker://048fec6a48beb1972ab26b48299afbc62d2d37186d075fd6b7c379c7f32d08c6
      exitCode: 0
      finishedAt: "2021-07-20T14:09:30Z"
      reason: Completed
      startedAt: "2021-07-20T14:09:30Z"
  - container: step-echo
    imageID: docker-pullable://busybox@sha256:0f354ec1728d9ff32edcd7d1b8bbdfc798277ad36120dc3dc683be44524c8b60
    name: echo
    terminated:
      containerID: docker://aee308b6dc27cad697e90801d527b47a1d0a06e807f3dbae8ed7a8ca542ec169
      exitCode: 0
      finishedAt: "2021-07-20T14:09:30Z"
      reason: Completed
      startedAt: "2021-07-20T14:09:30Z"
  - container: step-image-digest-exporter-wm594
    imageID: docker-pullable://gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter@sha256:5cab9f39c5c60f3b5762426a84d363a7569878fa7642b5efe295c38c637b0a6f
    name: image-digest-exporter-wm594
    terminated:
      containerID: docker://ad08a1519a4485466cd4aedffd63fc4fc2962e5725940ad14352d48b193f4c57
      exitCode: 0
      finishedAt: "2021-07-20T14:09:30Z"
      message: '[{"key":"digest","value":"sha256:05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b5","resourceName":"builtImage","resourceRef":{"name":"builtImage"}},{"key":"url","value":"gcr.io/foo/bar","resourceName":"builtImage","resourceRef":{"name":"builtImage"}}]'
      reason: Completed
      startedAt: "2021-07-20T14:09:30Z"
  taskSpec:
    resources:
      inputs:
      - name: sourcerepo
        type: git
      outputs:
      - name: builtImage
        targetPath: /workspace/sourcerepo
        type: image
    steps:
    - image: busybox
      name: build-and-push
      resources: {}
      script: |
        set -e
        cat <<EOF > $(inputs.resources.sourcerepo.path)/index.json
        {
        "schemaVersion": 2,
        "manifests": [
            {
            "mediaType": "application/vnd.oci.image.index.v1+json",
            "size": 314,
            "digest": "sha256:05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b5"
            }
        ]
        }
    - image: busybox
      name: echo
      resources: {}
      script: cat $(inputs.resources.sourcerepo.path)/index.json

@tekton-robot tekton-robot requested review from font and lukehinds July 20, 2021 14:25
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 20, 2021
@priyawadhwa priyawadhwa requested a review from dlorenc July 20, 2021 14:58
Comment thread pkg/chains/signing/iface.go
Comment thread pkg/chains/storage/tekton/tekton.go
Comment thread pkg/config/store.go
// KMS
kmsSignerKMSRef = "signers.kms.kmsref"
// Fulcio
x509SignerFulcioEnabled = "signers.x509.fulcio.enabled"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have a way to specify the URL for fulcio?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also maybe a way to specify how to get auth (right now google, but going forward SPIFFE?)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have a way to specify the URL for fulcio?

The cosign library we use for fulcio signing depends on setting the FULCIO_ADDRESS environment variable, so we'd probably want to add support for passing it as an arg or smth first. Then we could add signers.x509.fulcio.address which defaults to the prod one.

Also maybe a way to specify how to get auth (right now google, but going forward SPIFFE?)

yah that's a good idea. I'll add in signers.x509.fulcio.auth

@dlorenc

dlorenc commented Jul 21, 2021

Copy link
Copy Markdown
Contributor

LGTM! Squash and we can merge!

This PR adds support for signing with a cert from Fulcio & stores the cert alongside the signature for each backend
@dlorenc

dlorenc commented Jul 21, 2021

Copy link
Copy Markdown
Contributor

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 21, 2021
@dlorenc

dlorenc commented Jul 21, 2021

Copy link
Copy Markdown
Contributor

/approve

@tekton-robot

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlorenc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 21, 2021
@tekton-robot tekton-robot merged commit 082da44 into tektoncd:main Jul 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants