search

SUSE / bci-docs

Other
3 stars 5 forks source link

document how BCI images should be verified #51

Open dirkmueller opened 2 years ago

dirkmueller commented 2 years ago

We should include instructions on how the signatures of the binary images as well as the attestations can be verified.

e.g. COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type slsaprovenance --key <keyrile> registry.suse.com/bci/dotnet-runtime:6.0] | jq

dirkmueller commented 2 years ago

particularly needed here is to explain how to verify manifestlists. @mattfarina has recently written up a blog post on that: https://codeengineered.com/blog/2022/bci-slsa-attestation/

dirkmueller commented 2 years ago

Podman 4.2.0 and newer is having support for container policies via containers-poliy.json ( see https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md ):

this is an entry in /etc/containers/policy.json that enforces sigstore checking before pulling or running a container: 

            "registry.suse.com": [
                {
                   "type": "sigstoreSigned",
                   "keyPath": "/etc/pki/containers/container–key.pem",
                   "signedIdentity": {"type": "matchRepository"}
                }
            ],

obviously it could also be restricted for certain subpaths, like only registry.suse.com/bci for example. the /etc/pki/containers/container-key.pem needs to be the public key in PEM format (which we currently only provide via https://ftp.suse.com/pub/projects/security/keys/container%E2%80%93key.pem and not in any other build-keys package for example).

this also requires a setting to enable sigstore attachments, in /etc/containers/registries.d/default.yaml


docker:
  registry.suse.com:
    use-sigstore-attachments: true
dirkmueller commented 2 years ago

(jfyi` this is currently not working due to an OBS bug: https://jira.suse.com/browse/OBS-224 ) it has been fixed by the OBS team

mlschroe commented 2 years ago

(This has been changed, all sigstore extra data should now use OCI mimetypes)

dirkmueller commented 2 years ago

Confirmed, the registry hosted images are now working. thanks for fixing this!

msmeissn commented 2 years ago

the key is delivered on SLES already in /usr/share/container-keys/suse-container-key.pem

msmeissn commented 2 years ago

should I ship it also to /etc/pki/containers/ ?

msmeissn commented 2 years ago

we agreed in /usr/share/pki/containers/ for now, i will add that.