Add support for image verification through cosign

[axtloss]

We currently make no efforts to verify the downloaded images, this is very insecure and can be a huge downside in enterprise applications. There are multiple solutions to signing the images, but the easiest would be to simply use cosign as it is made for the purpose of signing and verifying oci images. It's also written in go so it would be even easier for us to integrate it with abroot and vib.

[xynydev]

+1

On atomic Fedora (rpm-ostree and bootc), the standard file /etc/containers/policy.json is used to configure verification, so I suggest also using that. The cosign public key needs to be copied into /etc/pki/containers/ on the image and the policy.json can be edited to reference that. See below for an example for how it's configured in my custom image of Universal Blue.

{
   "transports": {
      "docker": {
         "ghcr.io/xynydev/linuxyz": [
            {
               "type": "sigstoreSigned",
               "keyPath": "/usr/etc/pki/containers/linuxyz.pub",
               "signedIdentity": {
                  "type": "matchRepository"
               }
            }
         ]
      }
   }
}    

This process can be easily scripted, the image maker just has to provide the cosign keys in a standard location.

[kbdharun]

Btw, what do you think about keyless signing in cosign, is it something we could explore to eliminate the need for public/private keys?

[xynydev]

We've looked into OIDC keyless signing with BlueBuild but the upstream support for it is not quite there yet AFAIK, and containers/image cannot verify images signed like that. For ABRoot, it could be technically possible to implement the verification through cosign directly, I guess.

[axtloss]

It would probably be easier to stick with key based signing instead of implementing a (possibly insecure) verification method manually