fetchit icon indicating copy to clipboard operation
fetchit copied to clipboard

Published 20 hours ago verified publisher icon containers

verify all git artifacts using sigstore/gitsign

Open cooktheryan opened this issue 3 years ago • 4 comments

As a security minded individual, I would like to ensure artifacts are signed before pulling them onto a fetchit system.

  1. Would like to be able to provide a cosign public key to ensure that an image has been signed before running in an environment.

    AC: Verify a public key can be provided to verify images Verify that if a public key is provided and the signature does not match the image will not start Verify that if a public key is not provided images launch as planned

  2. Or, I'd like to verify that all git commits being pulled in are verified https://github.com/sigstore/gitsign

cooktheryan avatar Feb 16 '22 15:02 cooktheryan

https://pkg.go.dev/github.com/sigstore/cosign/pkg/cosign#VerifyImageSignature

cooktheryan avatar Feb 17 '22 19:02 cooktheryan

I've updated this issue to verify git commits, instead - https://github.com/sigstore/gitsign has been officially released and it will offer what we need to verify what's being pulled into the system.

sallyom avatar Jun 16 '22 15:06 sallyom

Can now opt-in to sigstore/gitsign verify with https://github.com/containers/fetchit/pull/224 and https://github.com/containers/fetchit/pull/230, and with targetConfig like so:

targetConfigs:
- url: https://github.com/sallyom/fetchit
  verifyCommitsInfo:
    GitsignVerify: true
  filetransfer:
  - name: ft-ex
    targetPath: examples/filetransfer
    destinationDirectory: /tmp/ft
    schedule: "*/1 * * * *"
  branch: gitsign

sallyom avatar Aug 31 '22 15:08 sallyom

leaving this open to add other options for verifying commits

sallyom avatar Aug 31 '22 15:08 sallyom