SLSA provenance for GHCR docker containers

[udf2457]

Please consider adding SLSA provenance to your releases, e.g. via GitHub Artifact attestations

[MichaelEischer]

Restic binaries are already fully reproducible, see https://restic.readthedocs.io/en/stable/developer_information.html#reproducible-builds . Due to how the restic binaries are currently signed, we cannot build them on Github. But that doesn't matter much as they are fully reproducible.

Signing the docker containers in the github registry would be possible though. Feel free to contribute a corresponding change.

[konidev20]

I took a shot at adding the container signing. I currently have it working on my fork.

I read the following articles before I decided to try container image signing with sigstore/cosign for signing the binaries:

1. https://snyk.io/blog/signing-container-images/ [Compares cosign, docker container trust and Notary]
2. https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ [GitHub Container Registry demonstrating the use of cosign]
3. https://github.com/sigstore/cosign-installer [Cosign docs to setup a simple workflow to sign images]

You can try pulling the image I built:

docker pull ghcr.io/konidev20/restic:docker-image-deployment

Command to verify requires cosign command to be installed Cosign Installation

cosign verify --certificate-identity-regexp="https://github.com/konidev20/.*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" ghcr.io/konidev20/restic:docker-image-deployment

[konidev20]

I also explored SLSA Provenance Generation using the guide Generation of SLSA3+ provenance for container images available here (slsa-framework/slsa-github-generator)[https://github.com/slsa-framework/slsa-github-generator].

You can review 2fab85a