Code Distribution Integrity Assurance using Helm Provenance and Integrity

mojaloop / design-authority-project

This is the Issue and Decision Log for tracking mojaloop and related Designs

Other

1 stars 2 forks source link

Code Distribution Integrity Assurance using Helm Provenance and Integrity #89

Open bukasaaime opened 2 years ago

bukasaaime commented 2 years ago

Request Summary:

Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, Keybase.io and well-respected package managers, Helm can generate and verify signature files.

Implementing Helm Provenance and Integrity for Mojaloop installation packaged chart, will constitute Mojaloop cryptographic Code Signing.

Request Details:

Deadline: Soon after DA meeting / discussions.
Impact (Teams): Code Quality Security, DevSecOps and DevOps
Impact (Components): Mojaloop codebase and documentation

Artifacts:

[ ] Artifact to consider @bukasaaime , @mdebarros

https://helm.sh/docs/topics/provenance/

Dependencies:

[ ] If Applicable

Accountability:

Owner: @godfreykutumela
Raised By: @bukasaaime

Decision(s):

- **Approved By:** ### Details - [ ] Actual decision made as a result of discussion ## **Follow-up**: - [ ] Actions to implement the decisions

bukasaaime commented 2 years ago

Update

We have done a proposal to have Mojaloop helm release code signed using

Keybase.io GPG keys,
Kubernetes commands
Helm package manager,
Helm chart(s),
Github,
Circle CI,
npm packages
Docker images, flags and hash values.
The Mojaloop customization trough external configs (including the default config),
mojaloop.io site for publication of Mojaloop helm release versions and hash values.
signature verification by a Mojaloop user
installation by Mojaloop user.

We are seeking approval from the DA.

code-signing-tree (7)

bukasaaime commented 2 years ago

Keybase.io is an elegant solution for hosting GPG keys for establishing Provenance and managing developers chain of trust. It is recommended by the Helm documentation https://helm.sh/docs/topics/provenance/ and is optional. It is open source, very secure and used by many developers around the world.

godfreykutumela commented 2 years ago

@MichaelJBRichards This is now approved by the DA for testing and implementation on the condition that appropriate documentation explaining this is included in the standard section of the community guides. The helm release note will reference this only on the first release and thereafter removed.

Implementation Plan:

Release initial documentation by 30 August 2022
Start testing the solution from 29 August 2022 - @bukasaaime will be the lead for the security team and I guess @mdebarros for the DevOps team
Once testing is completed, then we can aim to implement this with the next helm release - @mdebarros and @elnyry-sam-k to advise on the helm release schedule

bushjames commented 3 months ago

@elnyry-sam-k to raise this on the platform quality and security workstream backlog and report back to DA when appropriate.

godfreykutumela commented 3 months ago

Noted, @bushjames, I am sharing some of the artefacts we developed for this here! I used OpenPGP recently on another open-source project and it works fine with Github @elnyry-sam-k . Mojaloop code signing process - 16052022.pptx Mojaloop Code Signing - Open Source Options to discuss.docx

bushjames commented 1 month ago

discussed during DA call 2024-10-16 0900 UTC:

review of documented options.
actions:
- @elnyry-sam-k to develop strategy for Mojaloop code/artefact signing as part of PQS workstream: What to sign and where? docker images, npm? CI?