search

geoserver / geoserver-cloud

Cloud Native GeoServer is GeoServer ready to use in the cloud through dockerized microservices.
http://geoserver.org/geoserver-cloud
Other
244 stars 73 forks source link

Cosign integration. Docker images signature and validation in github actions #492

Closed groldan closed 2 months ago

groldan commented 2 months ago

Backport #491 to 1.8.x

Required to create these secrets in github actions setup:

image

Cosign_key is the private key Cosign_pub_key the public one (for use in validation process) Cosign_password is the password for the private key Docker token and username for dockerhub repo.

You should create your keys with cosign generate-key-pair You will be challenged for setting a password for the private key (that is going to be the value of your cosign_password secret) Then you will get 2 files, cosign.key and cosign.pub.

Assign those values to the secrets, and make public the cosign.pub (adding to your repo in git, so people can access it for own validation).

Since cosign advices to avoid signing based on tags, then we are signing images based on digest. Once pulled in repo, signing procedure is executed and cosign adds a .sig file into the dockerhub repo, which is used for validation. If the sig file for a digest is removed, then image wont be recognized as signed.

You can validate images in this way: cosign verify --key cosign.pub jemacchi/geoserver-cloud-wms:1.9-SNAPSHOT

IMPORTANT Note: do not confuse use of Cosign with Docker Content Trust (reference: https://snyk.io/blog/signing-container-images/ ).