[Tracking] Signatures for official Falco container images

[LucaGuerra]

In the Falco Supply Chain Security WG we have identified the need for signing all container images that we distribute for our repos (official and not).

• [x] Falco (https://github.com/falcosecurity/falco)
  • https://github.com/falcosecurity/falco/issues/2455
• [x] Falcoctl (https://github.com/falcosecurity/falcoctl)
  • https://github.com/falcosecurity/falcoctl/issues/233
• [x] Falcosidekick (https://github.com/falcosecurity/falcosidekick)
  • https://github.com/falcosecurity/falcosidekick/pull/411
• [x] Falcosidekick-UI (https://github.com/falcosecurity/falcosidekick-ui)
  • https://github.com/falcosecurity/falcosidekick-ui/issues/100

The mechanism we prefer to use is cosign with keyless signatures. Right now the signature is added in legacy mode, but when our preferred registries (Docker Hub, ECR, GHCR) will gain OCI v1.1 capabilities and referrer support we can migrate to a more modern way.

This issue acts as a place of discussion for these and to keep track of PRs and issues for those tasks. Note that to get us started, there is already a PR to do it in Falcosidekick https://github.com/falcosecurity/falcosidekick/pull/411 . The requirement to do it in that specific way is to move out of CircleCI first. This is one of the things the community is already doing, so helping there is always appreciated ;)

[cpanato]

/assign

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[maxgio92]

/remove-lifecycle stale

[LucaGuerra]

... aaand we're done :rocket: