search

open-telemetry / opentelemetry-collector-releases

OpenTelemetry Collector Official Releases
https://opentelemetry.io
Apache License 2.0
243 stars 160 forks source link

Start to sign image releases with cosign #203

Closed mattmoor closed 8 months ago

mattmoor commented 2 years ago

Is your feature request related to a problem? Please describe.

I'd like to be able to verify that the images we are consuming from otel/opentelemetry-collector-contrib on DockerHub were produced by this repo's release automation.

Describe the solution you'd like

I'd like to see the workflow used to publish your images use sigstore/cosign keyless signing to sign the published images, e.g. like the actions sample here.

There are three main pieces to this:

  1. You need id-token: write permissions to generate an identity token for the workflow:

      # This is used to complete the identity challenge
  # with sigstore/fulcio when running outside of PRs.
  id-token: write

  2. You need to install cosign

      - name: Install cosign
    uses: sigstore/cosign-installer@main
    with:
      cosign-release: 'v1.12.1'

  3. Sign the resulting image:

      - name: Sign the published Docker image
    env:
      COSIGN_EXPERIMENTAL: "true"
    # This step uses the identity token to provision an ephemeral certificate
    # against the sigstore community Fulcio instance.
    run: cosign sign THE_IMAGE_DIGEST

This can then be used with assorted policy controllers to verify that the images published to DockerHub were produced by .github/workflows/build-and-test.yml even if the static DockerHub credentials have been compromised.

Describe alternatives you've considered

You could also use sigstore/cosign to sign the images using a static key pair. However, this requires managing another secret (the signing key), and publishing your own verification key. Some projects (e.g. Google distroless) are signing things both ways, at least for now.

Additional context

No response

mattmoor commented 2 years ago

If y'all are receptive to this, I'd be happy to send a PR with the above changes to the actions workflow, just let me know.

bogdandrutu commented 2 years ago

The published image are in a different repository. Moving this issue there.

cpanato commented 2 years ago

I can help in the implementation

jpkrohling commented 2 years ago

That would be great, I had this on my radar anyway. We use goreleaser in this project, I believe there's an integration with cosign already.

jpkrohling commented 2 years ago

I'm assigning this to @mattmoor. If you need help, ping @cpanato :-)

cpanato commented 2 years ago

Yep, the implementation should be more straightforward :)

mattmoor commented 2 years ago

@cpanato has forgotten more about goreleaser than I will ever know. Carlos, if you want to take this on that'd be fantastic 🙏

cpanato commented 2 years ago

PR: https://github.com/open-telemetry/opentelemetry-collector-releases/pull/207

also did others to updates some other things:

jpkrohling commented 2 years ago

I commented in the relevant PR already, but our final images are scratch images already. The alpine base is being used only for build stages.

pellared commented 1 year ago

I know that this issue is only about signing images. However, it would be good also to sign executables (especially for Windows and macOS). It looks like sigstore does not handle it. See: https://github.com/sigstore/cosign/issues/2170 and https://github.com/sigstore/fulcio/issues/250.