Supporting Cosign Sigstore signing workflow

[mgreau]

Hi,

Starting with 8.8.0, the Elastic images are now signed with Cosign Sigstore as you can see below.

Do you have plans to support signing the "library" images?

Or even better a way for us to push our signed images there similar to the elastic images?

Thanks

cc @tianon

Elasticsearch - Docker Hub Elastic repository

cosign verify  \
           --key https://artifacts.elastic.co/cosign.pub \
           elastic/elasticsearch:8.8.0

Verification for index.docker.io/elastic/elasticsearch:8.8.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"docker.elastic.co/elasticsearch/elasticsearch"},"image":{"docker-manifest-digest":"sha256:9aaa38551b4d9e655c54d9dc6a1dad24ee568c41952dc8cf1d4808513cfb5f65"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIB6wscj/N6wUOhMq9pFSgaaji3d5HlOLsz2xiI40aW0mAiEA6nvDSPSwwfShSVbILUTbMFqVAfPWvrB5XXz13htMlUQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzZmYzZDIzZWVmOTliMDI3YWMzNjE2YWY2ZWQyZTk4MjgyMDRkOTY0MTU0MTQ4MzJiZTU5YThhMzAzZmRjN2YzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURIenVoV3pibkZsSUxVallMN2MxWm9TaVh3NzVPdmF2SldLVGsvcGRSQUhRSWhBS2hZSS9KTXZtNWJ6M3k2ajdvSzFQc2ZxUUQ0K01lQS9uSFB2a3F4UzIzVyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY1ZaMlRtUlJkR1JrZEdWdGRtWmpWV1V5VGpCbloxZ3ZjSFJxYVFwRlZYRjRlakp3UkZVM1ZWYzFiVE53WkcxSU1UTnJUVXR3ZURselJqUjJWVFZLVDJVM1ZYSXJSazVJVERkaFlXaE1hbWRIWXpBNGRXUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1685024464,"logIndex":21642671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"tag":"8.8.0"}}]

Elasticsearch - Elastic Container Registry

cosign verify  \
           --key https://artifacts.elastic.co/cosign.pub \
           docker.elastic.co/elasticsearch/elasticsearch:8.8.0

Verification for docker.elastic.co/elasticsearch/elasticsearch:8.8.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"docker.elastic.co/elasticsearch/elasticsearch"},"image":{"docker-manifest-digest":"sha256:9aaa38551b4d9e655c54d9dc6a1dad24ee568c41952dc8cf1d4808513cfb5f65"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIB6wscj/N6wUOhMq9pFSgaaji3d5HlOLsz2xiI40aW0mAiEA6nvDSPSwwfShSVbILUTbMFqVAfPWvrB5XXz13htMlUQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzZmYzZDIzZWVmOTliMDI3YWMzNjE2YWY2ZWQyZTk4MjgyMDRkOTY0MTU0MTQ4MzJiZTU5YThhMzAzZmRjN2YzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURIenVoV3pibkZsSUxVallMN2MxWm9TaVh3NzVPdmF2SldLVGsvcGRSQUhRSWhBS2hZSS9KTXZtNWJ6M3k2ajdvSzFQc2ZxUUQ0K01lQS9uSFB2a3F4UzIzVyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY1ZaMlRtUlJkR1JrZEdWdGRtWmpWV1V5VGpCbloxZ3ZjSFJxYVFwRlZYRjRlakp3UkZVM1ZWYzFiVE53WkcxSU1UTnJUVXR3ZURselJqUjJWVFZLVDJVM1ZYSXJSazVJVERkaFlXaE1hbWRIWXpBNGRXUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1685024464,"logIndex":21642671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"tag":"8.8.0"}}]

Elasticsearch - AWS ECR registry

cosign verify  \
           --key https://artifacts.elastic.co/cosign.pub \
           public.ecr.aws/elastic/elasticsearch:8.8.0

Verification for public.ecr.aws/elastic/elasticsearch:8.8.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"docker.elastic.co/elasticsearch/elasticsearch"},"image":{"docker-manifest-digest":"sha256:9aaa38551b4d9e655c54d9dc6a1dad24ee568c41952dc8cf1d4808513cfb5f65"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIB6wscj/N6wUOhMq9pFSgaaji3d5HlOLsz2xiI40aW0mAiEA6nvDSPSwwfShSVbILUTbMFqVAfPWvrB5XXz13htMlUQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzZmYzZDIzZWVmOTliMDI3YWMzNjE2YWY2ZWQyZTk4MjgyMDRkOTY0MTU0MTQ4MzJiZTU5YThhMzAzZmRjN2YzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURIenVoV3pibkZsSUxVallMN2MxWm9TaVh3NzVPdmF2SldLVGsvcGRSQUhRSWhBS2hZSS9KTXZtNWJ6M3k2ajdvSzFQc2ZxUUQ0K01lQS9uSFB2a3F4UzIzVyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY1ZaMlRtUlJkR1JrZEdWdGRtWmpWV1V5VGpCbloxZ3ZjSFJxYVFwRlZYRjRlakp3UkZVM1ZWYzFiVE53WkcxSU1UTnJUVXR3ZURselJqUjJWVFZLVDJVM1ZYSXJSazVJVERkaFlXaE1hbWRIWXpBNGRXUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1685024464,"logIndex":21642671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"tag":"8.8.0"}}]

[dlorenc]

Happy to help here!

[data-dude]

Does anyone know where we can get the certificate authority used by elastic to sign the images? Without that we can't really verify it in a kubernetes cluster using Kyverno