search

concourse / registry-image-resource

a resource for images in a Docker registry
Apache License 2.0
89 stars 107 forks source link

feat: adds cosign support #341

Open ChrisJBurns opened 1 year ago

ChrisJBurns commented 1 year ago

Currently, Content Trust is a feature offered by the registry-image-resource, but the gold standard for image signing now is using (if it isn't already) Cosign. This PR implements the functionality to sign images with Cosign. Currently, although it is possible using SignCmd, Cosign is a CLI first - meaning using it as a library in code can be a little less than ideal. This results in large number of config objects having to be passed into the SignCmd due to the fact that there is no CLI framework setting the default values.

When Cosign becomes more and more usable as a library, the code in this PR can be reduced. This includes, the way we have to set a temporary environment variable for COSIGN_KEY and COSIGN_PASSWORD until these are values that can be more easily passed into the Cosign code. Another one is the Keychain. Currently, Cosign works that if you have a docker config JSON file with registries and auth configured for them in a local cred store, Cosign will just use them via the go-containerregistry libary. Due to security reasons, we don't want to have to put the credentials in a file in the registry-image-resource task as any developer that intercepts the container can easily view those credentials. Instead we use an InMemoryKeychain that the underlying Cosign/go-containerregsitry libraries will pick up and use for the pushing of signatures to the registry.

implements: https://github.com/concourse/registry-image-resource/issues/329

pidster commented 1 year ago

This would be really useful.

PapaAAnthony commented 1 year ago

looks good, can confirm would be a very useful feature for us to have.

ChrisJBurns commented 4 months ago

Thanks @taylorsilva , I'll get those added :+1:!

ChrisJBurns commented 4 months ago

@taylorsilva

I've added a test but I'm not entirely sure if there's a way to test if the time has been signed as there is no response, only an error. So I've just asserted that there is no error that comes back for that test. Wondering what other thoughts you had?

taylorsilva commented 4 months ago

The out test is failing: image

Slightly more detailed error: image

taylorsilva commented 4 months ago

Made a small fix to the test. Looks like the image isn't being signed though as we're not seeing any of the info log lines output: image