search

ublue-os / main

OCI base images of Fedora with batteries included
https://universal-blue.org/images/main/
Apache License 2.0
486 stars 43 forks source link

Ensure unsigned images never get published #643

Open castrojo opened 2 hours ago

castrojo commented 2 hours ago

We got a few rando reports of image upgrade failures, p5 investigated and it was a temporary outage from sigstore:

Error: signing [ghcr.io/ublue-os/kinoite-nvidia@sha256:2219734f69fc517aac7f744c2f9af0f5fc54796b8a866a9ee686cd0f73b72edf]: signing digest: Post "https://rekor.sigstore.dev/api/v1/log/entries": POST https://rekor.sigstore.dev/api/v1/log/entries giving up after 4 attempt(s)

Rebuilds fixed the issue:

j0rge: should we have a step that verifies the signatures on each build maybe? I don't recall this happening before?

p5: A verify step would only be useful if we ran it before pushing the image (or tagging the images with the final tag). Currently signing happens after pushes, so will block nothing

KyleGospo: I think we need a cleanup action that removes these failed builds sigstore going down shouldn't leave us with an unsigned image though at least it's a self-solving problem

p5 commented 2 hours ago

Something we could consider is to push the images to GHCR with a temporary tag (or no tag?), sign the images with cosign using the digest as the selector, then set the final tags via Skopeo. This would mean that the final "production" tags are only added onto the image after the image signing step was successful.

  1. Push images to GHCR with temporary/no tag
  2. Tell cosign to sign the image with the digest
  3. Add the required tags to the image