registry-image-resource
registry-image-resource copied to clipboard
concourse
feat: adds cosign support
Currently, Content Trust is a feature offered by the registry-image-resource, but the gold standard for image signing now is using (if it isn't already) Cosign. This PR implements the functionality to sign images with Cosign. Currently, although it is possible using SignCmd, Cosign is a CLI first - meaning using it as a library in code can be a little less than ideal. This results in large number of config objects having to be passed into the SignCmd due to the fact that there is no CLI framework setting the default values.
When Cosign becomes more and more usable as a library, the code in this PR can be reduced. This includes, the way we have to set a temporary environment variable for COSIGN_KEY and COSIGN_PASSWORD until these are values that can be more easily passed into the Cosign code. Another one is the Keychain. Currently, Cosign works that if you have a docker config JSON file with registries and auth configured for them in a local cred store, Cosign will just use them via the go-containerregistry libary. Due to security reasons, we don't want to have to put the credentials in a file in the registry-image-resource task as any developer that intercepts the container can easily view those credentials. Instead we use an InMemoryKeychain that the underlying Cosign/go-containerregsitry libraries will pick up and use for the pushing of signatures to the registry.
implements: https://github.com/concourse/registry-image-resource/issues/329
looks good, can confirm would be a very useful feature for us to have.
@taylorsilva
I've added a test but I'm not entirely sure if there's a way to test if the time has been signed as there is no response, only an error. So I've just asserted that there is no error that comes back for that test. Wondering what other thoughts you had?
Made a small fix to the test. Looks like the image isn't being signed though as we're not seeing any of the info log lines output: