feat(notation): sign artifacts using notation

[JasonTheDeveloper]

This PR is associated with feat(notation): add support for notation in HelmChart and OCIRepository configuration and includes notation configuration used to sign artifacts and updated to the release workflow.

I have included my public cert used by others who want to validate the artifact they're deploying was signed by me, but you would need to generate your own and associated private cert.

Prep

To help with that, you can use the following cnf:

[ req ]
default_bits           = 2048
default_keyfile        = privatekey.pem
distinguished_name     = req_distinguished_name
req_extensions         = v3_req
prompt                 = no

[ req_distinguished_name ]
C                      = US
ST                     = WA
L                      = Seattle
O                      = Notary
CN                     = fluxcd.io

[ v3_req ]
keyUsage               = critical,digitalSignature
extendedKeyUsage       = critical,codeSigning
#subjectKeyIdentifier  = hash

Change the req_distinguished_name block if you like but just keep in mind, you'll also need to update trustedIdentities in .notation/trustpolicy.json to match.

Save that to a file, something like codesign.cnf for example.

Use the following commands to generate a new cert for signing and verifying:

openssl genrsa -out flux.key 2048
openssl req -new -key flux.key -out flux.csr -config codesign.cnf

# Up to you how long you want the cert to last for. The below command uses 365 days
openssl x509 -req -days 365 -in flux.csr -signkey flux.key -out flux.crt -extensions v3_req -extfile codesign.cnf

Take the resulting flux.key and copy the contents to a new secret in GitHub named NOTATION_SIGNING_KEY. Replace .notation/notation.crt with the contents of flux.crt.

That's it! You should be golden.

[stefanprodan]

Hey @JasonTheDeveloper thank you for this, I've been on a work trip this week but Monday I'll follow the steps and do a release for podinfo.

[stefanprodan]

This crashed the release Error: failed to push signature to registry with error: failed to push manifest: PUT "https://registry-1.docker.io/v2/***/podinfo/manifests/sha256:f53fce2c3056c62205025f4f9b1bb2af4df4eb648d8677c8bb14d6fc47afb47c": response status code 404: notfound: not found

[JasonTheDeveloper]

This crashed the release Error: failed to push signature to registry with error: failed to push manifest: PUT "https://registry-1.docker.io/v2/***/podinfo/manifests/sha256:f53fce2c3056c62205025f4f9b1bb2af4df4eb648d8677c8bb14d6fc47afb47c": response status code 404: notfound: not found

I noticed that. Looking into it now. In my original testing I had not pushed the container to docker hub, only ghcr. Gimme a sec.

[stefanprodan]

I can remove the Docker Signing and try again if it should work on GHCR.

[JasonTheDeveloper]

I can remove the Docker Signing and try again if it should work on GHCR.

I was about to suggest that. ~Do you want me to push a new commit?~

Looking through docs I believe the issue may be with Docker Hub itself. I thought Docker Hub supported OCI v1.1 as you can now push helm charts and SBOMs but I can't seem to find any actual information explicitly stating Docker Hub indeed supports the 1.1 spec. There was talk of adding backwards compatible in notation but that feature looks to be abandoned.

[stefanprodan]

Docker Hub is on 1.0 spec as far as I know.

[stefanprodan]

@JasonTheDeveloper I have removed the Docker Hub signing, and now 6.6.0 is out. Can you please test it our if the signatures for thr GHCR container image, chart and manifest artifacts are Ok?

[JasonTheDeveloper]

@JasonTheDeveloper I have removed the Docker Hub signing, and now 6.6.0 is out. Can you please test it our if the signatures for thr GHCR container image, chart and manifest artifacts are Ok?

@stefanprodan I've made the changes to the e2e test. I've tested it locally to ensure switching to your build still work. They appear to work which is great! Just pushed and now I'm letting the pipeline run in my fork.