Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign branch images with cosign #9571

Merged
merged 1 commit into from
Apr 24, 2024
Merged

Sign branch images with cosign #9571

merged 1 commit into from
Apr 24, 2024

Conversation

Nishnha
Copy link
Member

@Nishnha Nishnha commented Apr 23, 2024

Local branch of #9547

An initial implementation of #9546 for branch images

cc/ @JamieMagee

@Nishnha Nishnha requested a review from a team as a code owner April 23, 2024 15:37
@Nishnha Nishnha mentioned this pull request Apr 23, 2024
Closed
@JamieMagee JamieMagee force-pushed the nishnha/jamiemagee/cosign branch from 527857a to 2c91fe2 Compare April 23, 2024 15:54
@JamieMagee
Copy link
Contributor

Thanks @Nishnha. It looks like the push updater images step is still being skipped for some reason 🤷

@Nishnha
Copy link
Member Author

Nishnha commented Apr 23, 2024

I think it may require a codeowners approval

@JamieMagee
Copy link
Contributor

Ah, you're right. It needs maintainer approval.

@JamieMagee
Copy link
Contributor

JamieMagee commented Apr 24, 2024
edited
Loading

It looks like it worked 🎉

Here's the logs for the Bundler image

Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at [https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.](https://lfprojects.org/policies/hosted-project-tools-terms-of-use/)
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at [https://lfprojects.org/policies/hosted-project-tools-immutable-records/.](https://lfprojects.org/policies/hosted-project-tools-immutable-records/)

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
tlog entry created with index: 88201941
Pushing signature to: ghcr.io/dependabot/dependabot-updater-bundler

I can view that record on Rekor: https://search.sigstore.dev/?logIndex=88201941

And I can also verify the claims and certificates using cosign

$ cosign verify \
  ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513 \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-branch.yml@refs/pull/9571/merge

Verification for ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

...

The rest of the output is quite large, so I've put it below:

Expand for details 
[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/dependabot/dependabot-updater-bundler"
      },
      "image": {
        "docker-manifest-digest": "sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
      "1.3.6.1.4.1.57264.1.2": "pull_request",
      "1.3.6.1.4.1.57264.1.3": "04e44db333752305ff158277a737f260da674f14",
      "1.3.6.1.4.1.57264.1.4": "Branch images",
      "1.3.6.1.4.1.57264.1.5": "dependabot/dependabot-core",
      "1.3.6.1.4.1.57264.1.6": "refs/pull/9571/merge",
      "Bundle": {
        "SignedEntryTimestamp": "MEQCIEDfF7Cwl1jvWw+Hvg1RAWKFt5OhEHQsYqYCfRgnFDx1AiAJQJ2nvBvHtBVf95Ln5hzXTcs2JAFI4LPQ3CfDqTPWbA==",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxMzFmYTc1MDBmNzBjNzA5YmEzMjM4OGFkNzBhYTgzYWQwNGJhZDQwN2FmZjI3NmRlZjgxMjMyMGU2YjYwYjg2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQ3BxK2RaZllnM0NPR2hkVnBMb0o5YUVLNDZXdncyKzl4VmUrd1IvN0x3S0FpQWNVTXFPQ2F0bTI5ZlFjN0liK0c3bHFlaDFCR0hOOWFsRDBkcTFTREFzSmc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaEhha05EUW5GRFowRjNTVUpCWjBsVlFtOUVVVWQxTUV0bGNrcHBWU3RPYkd0c1lXbHZZbHBoUml0TmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDVFU1RCTlJFa3hUa1JKTlZkb1kwNU5hbEYzVGtSSk1FMUVUWGRPUkVrMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZIVnpSR1dHUllUSEJ6Y2tocE5WWk5ibTVEWkROa1NUQkNlbWxHU0hkSlNFcEphMGNLTDJGSlZqQmlUSEF2ZUZrMmJIVllTSEo0VVdrMVpWQkxWMU5PWlc1ekswVllka1ZzTkRKbVdXaEZRakowT0ZsdloyRlBRMEppT0hkbloxYzNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlVyWWxWRUNtSXJlV05NVFdJdlYzUXljRzFaVm14cFdIcHRieXRKZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJSQldVUldVakJTUVZGSUwwSkhiM2RoU1ZwdFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKU2JHTkhWblZhUjBacFlqTlJkZ3BhUjFaM1dsYzFhMWxYU25aa1F6RnFZak5LYkV4NU5XNWhXRkp2WkZkSmRtUXlPWGxoTWxwellqTmtla3d5YkhSWlYyUnNZM2t4YVdOdFJuVlpNbWQxQ21WWE1YTlJTRXBzV201TmRtTklWbk5pUXpnMVRsUmplRXd5TVd4amJXUnNUVVJyUjBOcGMwZEJVVkZDWnpjNGQwRlJSVVZMTW1nd1pFaENlazlwT0hZS1pFYzVjbHBYTkhWWlYwNHdZVmM1ZFdONU5XNWhXRkp2WkZkS01XTXlWbmxaTWpsMVpFZFdkV1JETldwaU1qQjNSMmRaUzB0M1dVSkNRVWRFZG5wQlFncEJaMUZOWTBoV2MySkdPWGxhV0VZeFdsaE9NRTFFV1VkRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSQk1GcFVVVEJhUjBsNlRYcE5NMDVVU1hwTlJGWnRDbHBxUlRGUFJFa3pUakpGTTAxNlpHMU5hbGwzV2tkRk1rNTZVbTFOVkZGM1IzZFpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVVNVJia3BvWW0xT2IwbEhiSFFLV1Zka2JHTjZRVzlDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa0p3YTFwWVFteGliVkpvV1cwNU1Fd3lVbXhqUjFaMVdrZEdhV0l6VVhSWk1qbDVXbFJCYVFwQ1oyOXlRbWRGUlVGWlR5OU5RVVZIUWtKU2VWcFhXbnBNTTBJeFlrZDNkazlVVlROTlV6bDBXbGhLYmxwVVFUZENaMjl5UW1kRlJVRlpUeTlOUVVWSkNrSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFaRU0xYW1JeU1IY0taR2RaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbTlFUjFwdlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyV2tkV2QxcFhOV3RaVjBwMlpFTTVhd3BhV0VKc1ltMVNhRmx0T1RCTVYwNTJZMjFWZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbUZYTVdoYU1sWjZURmRLZVZsWE5XcGhRelUxQ21KWGVFRmpiVlp0WTNrNWQyUlhlSE5NZW1zeFRucEZkbUpYVm5sYU1sVjNUMEZaUzB0M1dVSkNRVWRFZG5wQlFrTm5VWEZFUTJkM1RrZFZNRTVIVW1rS1RYcE5lazU2VlhsTmVrRXhXbTFaZUU1VVozbE9lbVJvVG5wTk0xcHFTVEpOUjFKb1RtcGpNRnBxUlRCTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGelJRcEVkM2RPV2pKc01HRklWbWxNVjJoMll6TlNiRnBFUVRsQ1oyOXlRbWRGUlVGWlR5OU5RVVZOUWtNNFRVeFhhREJrU0VKNlQyazRkbG95YkRCaFNGWnBDa3h0VG5aaVV6bHJXbGhDYkdKdFVtaFpiVGt3VERKU2JHTkhWblZhUjBacFlqTlJkRmt5T1hsYVZFRTBRbWR2Y2tKblJVVkJXVTh2VFVGRlRrSkRiMDBLUzBSQk1GcFVVVEJhUjBsNlRYcE5NMDVVU1hwTlJGWnRXbXBGTVU5RVNUTk9Na1V6VFhwa2JVMXFXWGRhUjBVeVRucFNiVTFVVVhkS1FWbExTM2RaUWdwQ1FVZEVkbnBCUWtSblVWZEVRbEo1V2xkYWVrd3pRakZpUjNkMlQxUlZNMDFUT1hSYVdFcHVXbFJCV1VKbmIzSkNaMFZGUVZsUEwwMUJSVkJDUVc5TkNrTkVhM3BOVkZsNlRVUmplazFETUVkRGFYTkhRVkZSUW1jM09IZEJVa0ZGU0hkM1pHRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eVVtd0tZMGRXZFZwSFJtbGlNMUYzUjBGWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVV0RVFXZDVUbnBOTUU1NlVUTk9ha0l5UW1kdmNrSm5SVVZCV1U4dlRVRkZVd3BDUjJkTldtMW9NR1JJUW5wUGFUaDJXakpzTUdGSVZtbE1iVTUyWWxNNWExcFlRbXhpYlZKb1dXMDVNRXd5VW14alIxWjFXa2RHYVdJelVYUlpNamw1Q2xwVE9IVmFNbXd3WVVoV2FVd3paSFpqYlhSdFlrYzVNMk41T1hCaVYwWnVXbGhOZEZsdVNtaGliVTV2VEc1c2RHSkZRbmxhVjFwNlRETkNNV0pIZDNZS1QxUlZNMDFUT1hSYVdFcHVXbFJCTkVKbmIzSkNaMFZGUVZsUEwwMUJSVlJDUTI5TlMwUkJNRnBVVVRCYVIwbDZUWHBOTTA1VVNYcE5SRlp0V21wRk1RcFBSRWt6VGpKRk0wMTZaRzFOYWxsM1drZEZNazU2VW0xTlZGRjNTRUZaUzB0M1dVSkNRVWRFZG5wQlFrWkJVVTlFUVhoM1pGZDRjMWd6U214aldGWnNDbU16VVhkWlFWbExTM2RaUWtKQlIwUjJla0ZDUmxGU1UwUkdRbTlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmFSMVozV2xjMWExbFhTbllLWkVNNWExcFlRbXhpYlZKb1dXMDVNRXhYVG5aamJWVjJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZaelJOVkVGNlRWUkJlVTU2YTNaWldGSXdXbGN4ZHdwa1NFMTJUVlJCVjBKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhVkZaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamRDU0d0QkNtUjNRakZCVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcWR6UkhjbUUwUVVGQlVVUUtRVVZaZDFKQlNXZEpUbFZPUVRaM1pFSkllU3Q2UXl0aVREQnhVR0ZNZDA5UmNWWXliVmRKY0c4eVNGZFJUWGxMTVZOclEwbEVkMmgwVTJOTFFXVnBOd3AzT0V3eGNWSTJTbkZGWW1WcU4wTjRhVTVFTUZod1MxZEpZMGREVlZKV1RVMUJiMGREUTNGSFUwMDBPVUpCVFVSQk1tZEJUVWRWUTAxUlJHVkpSekJGQ2tONmNuRjNTWEZvUTNBeWRubHhSSFpQYW1NeVZteHJjWEJwY0VKNVRXYzFPVTVuYlRocU1EWlRZVWRJTDBSdGJTdHFZelZEVmpGMlVtNWpRMDFETVdVS05rUlhUbXB3YjJWcVFVVm5PRkJySzFkc2RETkhPRTQwS3pGc2NYTmhVMk5aWW5sNE5sSjNPRXgyUmpZME16TlpRV2h5U2pSb1RHRTNRV1Z0V1hjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0ifX19fQ==",
          "integratedTime": 1713927270,
          "logIndex": 88201941,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "Issuer": "https://token.actions.githubusercontent.com",
      "Subject": "https://github.com/dependabot/dependabot-core/.github/workflows/images-branch.yml@refs/pull/9571/merge",
      "githubWorkflowName": "Branch images",
      "githubWorkflowRef": "refs/pull/9571/merge",
      "githubWorkflowRepository": "dependabot/dependabot-core",
      "githubWorkflowSha": "04e44db333752305ff158277a737f260da674f14",
      "githubWorkflowTrigger": "pull_request"
    }
  }
]

This allows us, and others, to verify where Dependabot container images were built.

Now that this is verified working, and backwards compatible, I think this can be merged and signing can be rolled out to the rest of the containers we push as well.

@JamieMagee
Copy link
Contributor

JamieMagee commented Apr 24, 2024
edited
Loading

I forgot to add that the signature is also published to our container registry. For the same bundler image I mentioned above:

ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513

The signature is available at:

ghcr.io/dependabot/dependabot-updater-bundler:sha256-32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513.sig

@JamieMagee JamieMagee mentioned this pull request Apr 24, 2024
Closed
@Nishnha Nishnha force-pushed the nishnha/jamiemagee/cosign branch from af92311 to 5106078 Compare April 24, 2024 13:34
@Nishnha Nishnha merged commit c371546 into main Apr 24, 2024
53 checks passed
@Nishnha Nishnha deleted the nishnha/jamiemagee/cosign branch April 24, 2024 14:14
This was referenced Apr 26, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abdulapopoola abdulapopoola abdulapopoola approved these changes

@JamieMagee JamieMagee JamieMagee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Nishnha @JamieMagee @abdulapopoola