search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.41k stars 485 forks source link

Feature - Sign scorecard container with cosign #309

Closed naveensrinivasan closed 1 year ago

naveensrinivasan commented 3 years ago

Is your feature request related to a problem? Please describe. Sign scorecard containers with cosign

naveensrinivasan commented 3 years ago

Now that https://github.com/sigstore/cosign 1.0 we could use it for signing.

Thoughts @inferno-chromium @azeemshaikh38

azeemshaikh38 commented 3 years ago

On a high-level the idea sounds good to me. I don't understand cosign a 100% though. Do you mind sketching out what this would look like, ie. would this be done through CloudBuild, any major changes that would be required etc.?

azeemshaikh38 commented 3 years ago

@naveensrinivasan assigning this to you as per yesterday's discussion. Lets come up with a one-pager proposal here to submit in the TAC meeting

developer-guy commented 2 years ago

I have the following recommendations:

naveensrinivasan commented 2 years ago

Thank you @developer-guy! We are tracking this part of this larger issue https://github.com/ossf/scorecard/issues/1051

We want to come up with a plan of it being SLSA compliant.

laurentsimon commented 2 years ago

Would OIDC be an option? This way we don't need a special workflow to generate keys and store them in GH secrets, and we also get built-in key rotation.

laurentsimon commented 2 years ago

@asraa FYI

naveensrinivasan commented 2 years ago

Yes, that would be a great option for signing containers.

Signing blob(scorecard binary) is easy. But verifying is jumping through lots of hoops. I am trying that the tooling isn’t there yet.

Also we need to understand if it suffices the SLDA requirements.

developer-guy commented 2 years ago

hello @azeemshaikh38 @naveensrinivasan, here is the keyless image signing example with GoReleaser recently created as a sample project^1, thanks to @caarlos0, of course, you can find an example of signing checksum also, here is the related tweet^2

Sample 1: Signing Container Images

docker_signs:
  - cmd: cosign
    env:
    - COSIGN_EXPERIMENTAL=1
    artifacts: images
    args:
    - 'sign'
    - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
    - '${artifact}'

Sample 2: Signing checksums.txt file

docker_signs:
  - cmd: cosign
    env:
    - COSIGN_EXPERIMENTAL=1
    artifacts: images
    args:
    - 'sign'
    - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
    - '${artifact}'
justaugustus commented 2 years ago

Cross-linking a few things from Kubernetes tracking:

developer-guy commented 2 years ago

kindly ping @naveensrinivasan, what needs to be done? πŸ™

laurentsimon commented 2 years ago

We could also wait for the slsa-generator to have support for container (laster this month), and use that with GoReleaser. I think some of our images use ko as well.

/cc @ianlewis

afmarcum commented 1 year ago

Is this something that still needs to be discussed? If there is no feedback in the next 7 days on whether this remains important for the project, then this issue will be closed.