lnd
lnd copied to clipboard
lightningnetwork
docker:Sign docker images without keys and push to ghcr.io
Sign docker images without keys and push to ghcr.io
Sign docker containers without using keys. This uses GitHub as an OIDC provider and signs the image.https://github.com/sigstore/cosign/blob/main/KEYLESS.md, when there aren't keys like https://github.com/lightningnetwork/lnd/blob/c43b9e4fe716f084ff135cf658897fb056e075a0/.github/workflows/docker.yml#L30 then it is not likely to be compromised. Though that in the code is using for it being pushed into the registry.
This solves https://github.com/lightningnetwork/lnd/issues/5728
Docker Image validated
These images are signed which means they can be validated. This can potentially replace verify-install #5780
Here is the validation of the signature.
COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/naveensrinivasan/lnd
No TUF root installed, using embedded CA certificate.
No TUF root installed, using embedded rekor key
Verification for ghcr.io/naveensrinivasan/lnd:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- Any certificates were verified against the Fulcio roots.
[
{
"critical":{
"identity":{
"docker-reference":"ghcr.io/naveensrinivasan/lnd"
},
"image":{
"docker-manifest-digest":"sha256:fcc31d459fddc0986570ae51236c7532693fa32006ad704751499a90ca9ca743"
},
"type":"cosign container image signature"
},
"optional":{
"Bundle":{
"SignedEntryTimestamp":"MEQCIDzQLsa9UcMxqnuVxm+eX6/URZvjqcOLyITik3vIsl13AiA3aj8MflSiCVHerFUGViXGqs9tiNEneox/qihtKun8qg==",
"Payload":{
"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJzcGVjIjp7ImRhdGEiOnsiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjU0YzFkNGViMTBkODMyNDUzYmY3YTE0MjkzZTgxNTMwYjlmM2Q2M2UzYzI0NTYzNjVjNTQ5YWU2YzdkOWIyYzkifX0sInNpZ25hdHVyZSI6eyJjb250ZW50IjoiTUVVQ0lGQkYycG50bkpGRFc4NHVjSDhtbEtCRXVrYTNRNm5nVWhOV0VqQUhMT1pZQWlFQThOc2FzL2JjWTBDZHl3NDhXZGllcWZ1VXBZbFF1ZXNNeTRjRkpqdlRxeUE9IiwiZm9ybWF0IjoieDUwOSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjNha05EUVd0bFowRjNTVUpCWjBsVlFVcExXVUZhVGtVdk1rbFlRMUJLZEVVM2RVMDJObEpRZUhSSmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1MycEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWtWM1JIZFpSRlpSVVVSRmQyaDZZVmRrZW1SSE9YbGFWRUZsUm5jd2VRcE5WRVYzVFVSSmQwMVVTWGhPVkU1aFJuY3dlVTFVUlhkTlJFbDNUVlJSZUU1VVNtRk5RVUYzVjFSQlZFSm5ZM0ZvYTJwUFVGRkpRa0puWjNGb2EycFBDbEJSVFVKQ2QwNURRVUZSVlZaNGVFWjFhWFpJV1VOeEx6Sm1kR1ZNZGt0VGJVaDBPRWszZVhKbWRrMXpUamhqYUd4d2NFaHpPV3hrWVhOR1pIRXhXallLVEVsb1prRkdlWEZvYUVwbFlrczBXR3AxVURSclRHcFZhVzFzVW5KMFVtZHZORWxDWTNwRFEwRlhPSGRFWjFsRVZsSXdVRUZSU0M5Q1FWRkVRV2RsUVFwTlFrMUhRVEZWWkVwUlVVMU5RVzlIUTBOelIwRlJWVVpDZDAxRVRVRjNSMEV4VldSRmQwVkNMM2RSUTAxQlFYZElVVmxFVmxJd1QwSkNXVVZHVFdGcUNtSlBVMjEyY21SalFUUm5jRGQ1Uldod2VUSjZSbGN5VGsxQ09FZEJNVlZrU1hkUldVMUNZVUZHVFdwR1NGRkNRbTFwVVhCTmJFVnJObmN5ZFZOMU1Vc0tRblJRYzAxSlIwNUNaMmR5UW1kRlJrSlJZMEpCVVZOQ1owUkNLMDFJZDBkRFEzTkhRVkZWUmtKNlFVTm9ia0p2WkVoU2QwOXBPSFpqU0Vwd1pHMUdNQXBhVjA1b1RGZE9kbUp1VW14aWJsRjBUbXBCZWxwdFZUTmFWR04wVFVSQmQwMURNSGxOYWtrelRGZEtiVTU2VlhSYWFsSnRUbGRWTkUxSFVYbFBWRlV3Q2t4dVRqQmlNMHBvV2pKVmRWb3lPWFphTW5oc1dWaENjR041TldwaU1qQjJXVEpGZWs1dFJYaGFWR3N5VFdwUmVWbHFiRzFaTWtsNFRrUlpkbGt5UlhVS1dUTktNRTFIYjBkQk1WVmtSVkZGUWk5M1VtZE5SalpIV0Vkb01HUklRbnBQYVRoMldqSnNNR0ZJVm1sTWJVNTJZbE01ZFZsWVdteGFWelY2WTIxc2RRcGhXRnBvWXpKR2RVd3llSFZhUXpoMVdqSnNNR0ZJVm1sTU0yUjJZMjEwYldKSE9UTmplVGxyWWpKT2NscFlTWFJqTW14dVltazFOV0pYZUVGamJWWnRDbU41T1hka1YzaHpUSHBGTkV3eU1XeGpiV1JzVFVGdlIwTkRjVWRUVFRRNVFrRk5SRUV5YTBGTlIxbERUVkZEUm1KSVVqVlpTQ3RoUVdFcmIyNDBhVFFLTWtFNFNGVnJURU5aVW1KRVJFRllRVkJqVEU5QldYTkRhVWRpUlU4d1RETTBPVkk0WVVOdWNVTndUVTkyZEUxRFRWRkVPR1V4YWtSdmNFTnRSWGN5VmdvM2JFTlViWGRNTDJwMlJGQjBTemxsZHpOb1dHdEVOVEF3VERsU1dGUnpXRTlyUmtwVFVVeEVaRGxNVW1sVk5VdERkVms5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fSwia2luZCI6InJla29yZCJ9",
"integratedTime":1633137714,
"logIndex":729517,
"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
},
"Subject":"https://github.com/naveensrinivasan/lnd/.github/workflows/docker-sign.yml@refs/pull/18/merge"
}
}
]
What is cosign and Sigstore?
https://www.sigstore.dev
Sigstore trusts
https://github.com/sigstore/root-signing
How it works
https://www.sigstore.dev/how-it-works
Can I run my own transparency log?
Yes, https://github.com/sigstore/rekor
Here is the docker image from my push https://github.com/naveensrinivasan/lnd/pkgs/container/lnd
Thanks for the PR. I took a quick look at the keyless signing with cosign. From what I understand this doesn't really improve the security of the generated images.
Sure, it proves that the images were built by GitHub and not modified after the build. But the verification we are looking for is that the build is legitimate (more than one team member signed off on it, a single bad actor cannot arrive at more than one signature of the required 5) and reproducible (everyone can arrive at the same digest of the binaries on their own machine).
If instead we could all build the images locally, sign the digest and upload that signature to GitHub in a way that cosign could verify them, that would be great. But I'm not sure that's currently possible? Also we'd want to re-use our RSA keys for signing the images.
Perhaps for now we can just add an action to .github/workflows/docker.yml that additionally uploads the generated images to ghcr.io.
https://twitter.com/kelseyhightower/status/1502112834120937477
Also, some interesting things are coming out of SLSA with build provenance https://github.com/slsa-framework/slsa https://github.com/gossts/slsa-provenance, there soon be a blog post on this along with a white paper on generating build-provenance and signing within the GitHub workflow
@naveensrinivasan, remember to re-request review from reviewers when ready
@naveensrinivasan, remember to re-request review from reviewers when ready
@naveensrinivasan, remember to re-request review from reviewers when ready