[Feature]: use buildah and cosign to build image and signature

[whg517]

track list

• [x] https://github.com/zncdatadev/containers/pull/57
• [x] https://github.com/zncdatadev/containers/pull/58

background

Currently, docker buildkit is used to build the image, but the built image is docker format, not the standard oci format, and buildkit can not operate well when integrating the image signature, sbom and other functions.

After research, there are tools with more modern features, both use the oci standard, and the bottom layer is containerd.

• buildah
• nerdctl
• buildpacks

The above tools support multi-architecture cross-build and parallel task build, and can directly view the multi-architecture image list, which is more convenient for using cosign to directly sign multi-architecture images and image lists.

In particular, nerdctl provides the push --sign=cosign parameter to automatically sign an image when it is pushed. But nerdctl is not well supported in the gh action environment.

cosign is an open source tool developed by the Sigstore project specifically for container image signing and validation. Use transparent logs to store and verify signatures. Supports keyless signature. Currently support mainstream image warehouse and CICD tool integration.

ref:

• Container Image Sign and Verify with cosign tool
• cosign-installer GitHub Action
• Buildah GitHub Action

solution

Build the image using buildah and sign the image, manifest and materials using cosign

example

mkdir foo
cd foo

cat > Dockerfile <<EOF
FROM alpine
EOF

# build
buildah build --platform=linux/arm64,linux/amd64 --manifest=quay.io/huagang/foo:v1 .

# push
buildah manifest push --all quay.io/huagang/foo:v1

# sign, you should login with goole or github. In github ci, it is automatic with repo owner info
cosign sign -y quay.io/huagang/foo:v1

in other docker env

docker pull quay.io/huagang/foo:v1

docker inspect quay.io/huagang/foo:v1

# verify image with digests not a tag
cosign verify \
    --certificate-identity <REPO_OWNER_EMAIL> \
    --certificate-oidc-issuer=https://github.com/login/oauth \
    quay.io/huagang/foo@sha256:9ff57984be03fd306126b73d374c71ce401386baec45c48fbc018ecbb32209ae

[whg517]

@tutunannan @lwpk110 please review it

[tutunannan]

Building container images using Buildah is a powerful and flexible way to create, manage, and deploy applications. Without the requirement for a Docker daemon or a Dockerfile, Buildah makes it simple to construct container images from scratch, add files, install packages, configure metadata, and more. As a result, Buildah is a quick and effective approach to create container images that can be utilized in a variety of settings, including local development and production deployments. Overall, Buildah provides a strong and adaptable solution to create container pictures.

What is Buildah? Buildah is a command-line tool that can be used to create, build, and manage container images without requiring a daemon or root privileges. With the help of a number of scripts and commands, Buildah offers a simple and comprehensible interface for creating container images. With Buildah, developers may generate images from scratch using a variety of base images, change already-existing photos, and create unique images. Additionally, a variety of image formats, such as OCI and Docker images, are supported by Buildah.

Why Buildah over Dockers? For building container, the developer use Buildah over Dockers due to the following reasons

1. Buildah does not require root privileges or a daemon to run and create container which can be a big help to security-conscious developers who want to avoid potential security flaws.
2. Secondly, Buildah offers a more adaptable and versatile method for creating container pictures. Developers can generate new pictures from scratch or edit old ones using scripts and commands, giving them greater precise control over the configuration and dependencies of the image.
3. Thirdly, Buildah supports for a variety of image formats, such as OCI and Docker images, can give developers who want to work with various containerization tools additional options.
4. To provide developers with a smooth and effective containerization process, Buildah works nicely with other containerization technologies, such as Podman.

[tutunannan]

Cosign is a tool within the sigstore project that greatly simplifies how content is signed and verified by storing signatures from container images and other types in OCI registries. By storing signatures with a predictable name as a related OCI artifact within a registry, the content can be leveraged by both consumers and producers of the signed material. However, there are situations where there may be not only a desire, but a requirement to forgo the storage of signatures in this default fashion. Fortunately, these scenarios for storing content produced with cosign can be adopted without compromising the integrity of the signing and verification process.

Cosign Among the myriad tools available for signing, one that stands out for its comprehensive feature set is Cosign. It seamlessly covers various signing needs, including:

• Keyless signing: Utilizing the Sigstore public good Fulcio certificate authority and Rekor transparency log (default).
• Hardware and KMS signing: Supporting hardware and Key Management Service (KMS) signing options.
• Signing with a Cosign-generated encrypted private/public keypair: Enabling secure signing through its own generated keypair.
• Container Signing, Verification, and Storage in an OCI registry: Providing end-to-end support for signing and verifying containers, with storage capabilities in an Open Container Initiative (OCI) registry.
• Bring-your-own PKI: Allowing flexibility by supporting the use of your own Public Key Infrastructure (PKI).”

[whg517]

Here is an article on the topic of Mirror signatures from Red Hat, where I think you can learn more about the practice of mirror signatures: Chapter 8. Signing container images