restic icon indicating copy to clipboard operation
restic copied to clipboard

Published 20 hours ago verified publisher icon restic

docker: sign container images pushed to GHCR with GitHub OIDC tokens

Open konidev20 opened this issue 1 year ago • 2 comments

What does this PR change? What problem does it solve?

  • This allows users to verify the authenticity and integrity of Restic Docker images before using them.
  • This provides users with a verifiable record of how, when and where an artifact was built.

Refer:

  1. https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
  2. ~~https://github.com/sigstore/cosign-installer~~
  3. Generation of SLSA3+ provenance for container images

[Edit] Changes made to the GitHub Workflow:

  • ~~installing cosign v2.4.0~~
  • ~~add new step to sign all the images generated during the build and push step~~
  • the id-token of the GitHub Actions workflow will be used for image signing
  • replace branch-based tagging with SHA-based tagging since, branch names are mutable, SLSA provenance requires immutable tagging
  • use official SLSA framework Github Reusable workflow [\Edit]

Was the change previously discussed in an issue or on the forum?

Closes #4983

Checklist

  • [x] I have read the contribution guidelines.
  • [x] I have enabled maintainer edits.
  • [ ] I have added tests for all code changes.
  • [x] I have added documentation for relevant changes (in the manual).
  • [x] There's a new file in changelog/unreleased/ that describes the changes for our users (see template).
  • [x] I have run gofmt on the code in all commits.
  • [x] All commit messages are formatted in the same style as the other commits in the repo.
  • [x] I'm done! This pull request is ready for review.

konidev20 avatar Aug 11 '24 18:08 konidev20

@MichaelEischer need some more time to test. facing some issue during the slsa verification.

konidev20 avatar Sep 15 '24 19:09 konidev20

@MichaelEischer the changes w.r.t the SLSA provenance is complete. I will update the documentation shortly.

konidev20 avatar Sep 22 '24 17:09 konidev20

@MichaelEischer I guess you can do a final review and merge this.

As for

I am not sure how the build-and-push steps work to upload to Dockerhub. Let me see if I can make this a generic solution which would work for any repository, not limited to Dockerhub and GHCR.

I will pick it up in a separate issue.

konidev20 avatar Dec 01 '24 19:12 konidev20