ossf
Feature - Sign scorecard container with cosign
Is your feature request related to a problem? Please describe. Sign scorecard containers with cosign
Now that https://github.com/sigstore/cosign 1.0 we could use it for signing.
Thoughts @inferno-chromium @azeemshaikh38
On a high-level the idea sounds good to me. I don't understand cosign a 100% though. Do you mind sketching out what this would look like, ie. would this be done through CloudBuild, any major changes that would be required etc.?
@naveensrinivasan assigning this to you as per yesterday's discussion. Lets come up with a one-pager proposal here to submit in the TAC meeting
I have the following recommendations:
- I saw, scorecard project uses the
GoReleaserproject to make a release, In GoReleaser v0.176.0 (both OSS and Pro) released with the ability to sign Docker images. π https://carlosbecker.com/posts/goreleaser-cosign/ - The second approach would be, generating public/private keys, store them within the repository and store the password on the GitHub Secrets, and use them within the GitHub Action. Of course, we are developing another improvement about generating key pairs and storing them on GitHub Secrets without manually doing it. π https://github.com/sigstore/cosign/pull/848 π https://github.com/gythialy/golang-cross/pull/31
Thank you @developer-guy! We are tracking this part of this larger issue https://github.com/ossf/scorecard/issues/1051
We want to come up with a plan of it being SLSA compliant.
- We still haven't yet decided on whether to use
GitHubfor signing the keys or usegooglefor signing the keys and also the provenance that comes along for it to be SLSA compliant. - Once we decide that then it should be easy.
- If you have any recommendations more than happy to hear on the https://github.com/ossf/scorecard/issues/1051
Would OIDC be an option? This way we don't need a special workflow to generate keys and store them in GH secrets, and we also get built-in key rotation.
Yes, that would be a great option for signing containers.
Signing blob(scorecard binary) is easy. But verifying is jumping through lots of hoops. I am trying that the tooling isnβt there yet.
Also we need to understand if it suffices the SLDA requirements.
hello @azeemshaikh38 @naveensrinivasan, here is the keyless image signing example with GoReleaser recently created as a sample project^1, thanks to @caarlos0, of course, you can find an example of signing checksum also, here is the related tweet^2
Sample 1: Signing Container Images
docker_signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
artifacts: images
args:
- 'sign'
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '${artifact}'
Sample 2: Signing checksums.txt file
docker_signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
artifacts: images
args:
- 'sign'
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '${artifact}'
Cross-linking a few things from Kubernetes tracking:
- Signing release artifacts: https://github.com/kubernetes/enhancements/issues/3031
- SLSA Level 3 Compliance in the Kubernetes Release Process: https://github.com/kubernetes/enhancements/issues/3027
- Signing artifacts with
cosign: https://github.com/kubernetes/release/issues/2227 - Implement container image signing MVP (KEP-3031): https://github.com/kubernetes/release/issues/2383
- KEP (Kubernetes Enhancement Proposal): https://github.com/kubernetes/enhancements/tree/master/keps/sig-release/3031-signing-release-artifacts
We could also wait for the slsa-generator to have support for container (laster this month), and use that with GoReleaser. I think some of our images use ko as well.
/cc @ianlewis
Is this something that still needs to be discussed? If there is no feedback in the next 7 days on whether this remains important for the project, then this issue will be closed.
