feat(ci): add cosign keyless verification via github OIDC #907
Conversation
bayou-brogrammer
force-pushed
the
feat(ci)-keyless-verification
branch
from
396199d
to
ba10576
Compare
| - uses: sigstore/cosign-installer@v3.4.0 | ||
| if: github.event_name != 'pull_request' | ||
|
|
||
| - name: Sign container image | ||
| - name: Sign the images |
There was a problem hiding this comment.
Without the public and private keys, how will we set the OS configuration to allow images from this org?
There was a problem hiding this comment.
Right now, we have configured the ublue certs as trusted in all images, but now we're not signing images using those certs, how will it work?
(I'm talking about this configuration - https://github.com/ublue-os/config/blob/main/files/usr/etc/containers/policy.json#L23-L31)
There was a problem hiding this comment.
So i might be a bit out the loop on the entire process, but I thought we could now use our github to validate via cosign
cosign verify --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity-regexp https://github.com/ublue-os/bluefin <TAG>
which will allow for the image to be verified against our OIDC signature
There was a problem hiding this comment.
recently got my bluebuild image to sign with OIDC and the problem stems from that now the image is no longer signed with the same key, yet the policy.json still expects it to, so updating fails:
user@localhost ~ [1]> rpm-ostree update
Pulling manifest: ostree-image-signed:docker://ghcr.io/gerblesh/uhypr:latest
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature
we could try creating special tags and systemd units for rebasing/fixing the policy.json but I don't know what's the best way forward for this, and it would probably be ideal to keep workarounds like the ones I just mentioned to a minimum
There was a problem hiding this comment.
I mentioned this in Discord, but appropriate to ask here...
What benefit(s) does signing with OIDC provide bluefin (or any ublue-os image)?
Unless I'm missing something, to trust the OIDC signed image, the policy,json still needs to provide some information to know how to validate the signatures... so one still can't do a direct rebase from upstream Silverblue to ostree-image-signed:docker://ghcr.io/example-org/oidc-signed-image:latest .
And it seems your example here where skopeo fails demonstrates this problem.
There was a problem hiding this comment.
removing the configuration for the individual image allows a rebase. Signing with OIDC keyless means the signature changes every time and is verfied using github's provider. The default policy.json will work on rebase if you don't override the signature verification with pubkey auth
There was a problem hiding this comment.
cosign's docs for keyless signing are here: https://docs.sigstore.dev/signing/overview/
There was a problem hiding this comment.
https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#sigstoresigned explains how to specify OIDC verification in policy.json. There's also an option for subjectEmail, which will ensure the image is signed by the right account and not a random GitHub account.
Pull request was converted to draft
|
Converted to draft to avoid accidental approval/merge before we have figured out how it will work. |
This PR adds the keyless verification from cosign docs.
cosign keyless requires two inputs:
For github, our template follows:
https://token.actions.githubusercontent.comhttps://github.com/${{ github.repository }}