zdtsw
commented
2 years ago Guess we can get the checksum right after build
docker inspect <image> | jq .[0].Digest but how do we want to store and consume these?
Open sxa opened 2 years ago
zdtsw
commented
2 years ago Guess we can get the checksum right after build
docker inspect <image> | jq .[0].Digest but how do we want to store and consume these?
sxa
commented
1 day ago Discussed with @netomi as part of the work to trial sigstore. I will request an account on the Eclipse oauth server with the intention of trialling cosign for this.
https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/5348
sxa
commented
1 day ago oauth credentials have been provided along with some sample code:
curl -sSL -X POST \
--url https://auth.eclipse.org/auth/realms/sigstore/protocol/openid-connect/token \
--header "Content-Type: application/x-www-form-urlencoded" \
--data @idp.txt \
| jq -r ".access_token" \
| head -c -1 > token.txt./cosign sign-blob README.txt -y --bundle README.bundle --oidc-issuer=https://auth.eclipse.org/auth/realms/sigstore --identity-token=token.txt --verbose --output-certificate=cert.pem --tlog-upload=false --new-bundle-format=true
More detailed information is in https://mikael.barbero.tech/blog/post/2023-12-23-eclipse-foundation-embraces-sigstore/
Our docker build images which are created from the files in https://github.com/adoptium/infrastructure/tree/master/ansible/docker are created via mechanisms described in https://github.com/adoptium/infrastructure/blob/master/FAQ.md#what-about-the-builds-that-use-the-dockerbuild-tag
Once created those images are uploaded to dockerhub, and then where applicable they are downloaded and used on nodes with the dockerBuild tag.
This issue is to cover whether we can store checksums of the docker images prior to upload to give us the ability to verify that they have not been tampered with while being uploaded to, or retrieved from, GitHub.