search

carvel-dev / carvel

Carvel provides a set of reliable, single-purpose, composable tools that aid in your application building, configuration, and deployment to Kubernetes. This repo contains information regarding the Carvel open-source community.
https://carvel.dev/
Apache License 2.0
379 stars 120 forks source link

Signature and SLSA attestation for all Carvel artifacts #619

Open ThomasVitale opened 1 year ago

ThomasVitale commented 1 year ago

Describe the problem/challenge you have

Currently, the artefacts produced by the different Carvel projects (binaries, images, bundles) are not signed. It would be nice if they were all signed to help with the implementation of supply chain security practices on the consumer side, requiring verification and provenance attestation of any third-party tool.

More and more cloud native projects started adopting Sigstore for signing and verifying artefacts. It would be great if all Carvel artefacts were signed with Sigstore cosign. There's a "Sigstore Landscape" in the OpenSSF with all the projects using Sigstore. It would be nice to include Carvel there. For GitHub based builds, the official Sigstore GitHub Action to install cosign could be used.

As part of improving supply chain security, SLSA provides a framework to guarantee the integrity of software artefacts, with different levels of compliance.

One of the main concepts introduced by SLSA is the provenance "to trace software back to the source and define the moving parts in a complex supply chain". It's defined as "the verifiable information about software artifacts describing where, when and how something was produced".

It would be a great addition to Carvel if all the project artefacts were not only signed, but also provided with a signed provenance attestation following the standard in-toto format. Such attestation would contain information about how each artifact was built. For GitHub-based builds, there is an attestation generator provided by the SLSA project: https://github.com/slsa-framework/slsa-github-generator.

ThomasVitale commented 1 year ago

Interesting info about how other projects handled this:

ThomasVitale commented 1 year ago

I've started working on an RFC for this. I will publish a first draft here soon.

ThomasVitale commented 7 months ago

Signatures are now implemented for all Carvel artifacts (see https://github.com/carvel-dev/carvel/issues/691). Next step will be adding SLSA attestations and SBOMs. I'm working on a followup RFC for that.