Closed naveensrinivasan closed 1 year ago
Now that https://github.com/sigstore/cosign 1.0 we could use it for signing.
Thoughts @inferno-chromium @azeemshaikh38
On a high-level the idea sounds good to me. I don't understand cosign
a 100% though. Do you mind sketching out what this would look like, ie. would this be done through CloudBuild, any major changes that would be required etc.?
@naveensrinivasan assigning this to you as per yesterday's discussion. Lets come up with a one-pager proposal here to submit in the TAC meeting
I have the following recommendations:
GoReleaser
project to make a release, In GoReleaser v0.176.0 (both OSS and Pro) released with the ability to sign Docker images.
π https://carlosbecker.com/posts/goreleaser-cosign/Thank you @developer-guy! We are tracking this part of this larger issue https://github.com/ossf/scorecard/issues/1051
We want to come up with a plan of it being SLSA compliant.
GitHub
for signing the keys or use google
for signing the keys and also the provenance that comes along for it to be SLSA compliant. Would OIDC be an option? This way we don't need a special workflow to generate keys and store them in GH secrets, and we also get built-in key rotation.
@asraa FYI
Yes, that would be a great option for signing containers.
Signing blob(scorecard binary) is easy. But verifying is jumping through lots of hoops. I am trying that the tooling isnβt there yet.
Also we need to understand if it suffices the SLDA requirements.
hello @azeemshaikh38 @naveensrinivasan, here is the keyless image signing example with GoReleaser recently created as a sample project^1, thanks to @caarlos0, of course, you can find an example of signing checksum also, here is the related tweet^2
Sample 1: Signing Container Images
docker_signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
artifacts: images
args:
- 'sign'
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '${artifact}'
Sample 2: Signing checksums.txt file
docker_signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
artifacts: images
args:
- 'sign'
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '${artifact}'
Cross-linking a few things from Kubernetes tracking:
cosign
: https://github.com/kubernetes/release/issues/2227kindly ping @naveensrinivasan, what needs to be done? π
We could also wait for the slsa-generator to have support for container (laster this month), and use that with GoReleaser. I think some of our images use ko as well.
/cc @ianlewis
Is this something that still needs to be discussed? If there is no feedback in the next 7 days on whether this remains important for the project, then this issue will be closed.
Is your feature request related to a problem? Please describe. Sign scorecard containers with cosign