ko icon indicating copy to clipboard operation
ko copied to clipboard

Published 20 hours ago verified publisher icon ko-build

feat: sign checksum using cosign

Open Dentrax opened this issue 2 years ago • 16 comments

Signed-off-by: Furkan [email protected] Signed-off-by: Batuhan Apaydın [email protected]

Fixes #491

Dentrax avatar Nov 10 '21 11:11 Dentrax

We used cosign-release: 'v1.3.0' here, but we can not do verify for now since we have to wait the next cosign release. Here is the related PR: https://github.com/sigstore/cosign/pull/991 by @shibumi. This feature scheduled in the next v1.4.0 release. If we want to export the cert in the release, then probably we have to wait one of these PRs to get merged: https://github.com/sigstore/cosign/pull/1016 and https://github.com/sigstore/cosign/pull/1021 by @developer-guy

Dentrax avatar Nov 10 '21 14:11 Dentrax

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

google-cla[bot] avatar Nov 11 '21 14:11 google-cla[bot]

@shibumi cosign v1.4.1 with some bunch of fixes is released today as you might know, would you like to give this issue a hand? 🤩 Or I can do it if you want if you don't have time 🤝

developer-guy avatar Dec 10 '21 18:12 developer-guy

@developer-guy I can confirm this works: https://github.com/shibumi/kubectl-htpasswd/releases/tag/v0.1.7

But you must set the experimental flag with cosign v1.4.1

shibumi avatar Dec 11 '21 04:12 shibumi

kindly ping @mattmoor @imjasonh @shibumi, seems everything works fine. 👉 https://github.com/developer-guy/ko/releases/tag/v0.9.3-signchecksum

$ httpie --download https://github.com/developer-guy/ko/releases/download/v0.9.3-signchecksum/checksums.txt.sig
$ httpie --download https://github.com/developer-guy/ko/releases/download/v0.9.3-signchecksum/checksums.txt.pem
$ httpie --download https://github.com/developer-guy/ko/releases/download/v0.9.3-signchecksum/checksums.txt

$ cosign verify-blob --signature checksums.txt.sig --cert checksums.txt.pem checksums.txt
Verified OK

👉 https://github.com/developer-guy/ko/runs/4592518036?check_suite_focus=true

developer-guy avatar Dec 21 '21 08:12 developer-guy

@Dentrax can you add these two lines to the goreleaser configuration? They ensure that goreleaser will produce a source tarball and signs this tarball as well. It provides an easy way to download a signed tarball via curl

source:
  enabled: true

shibumi avatar Dec 21 '21 15:12 shibumi

we only sign the chekcsums.txt file right now, I think it is enough for verifying sha256 of the files has not been tampered with but, the final decision belongs to @imjasonh, let's ask that to him and wait for his response, then according to his response, maybe we can start signing tar files instead of just checksums.txt file. WDYT @shibumi?

developer-guy avatar Dec 22 '21 19:12 developer-guy

Btw @imjasonh GoReleaser is now capable of generating SBOMs by using the Syft tool under the hood, so, that we can add that support to the ko project🙋🏻‍♂️

developer-guy avatar Dec 22 '21 20:12 developer-guy

Btw @imjasonh GoReleaser is now capable of generating SBOMs by using the Syft tool under the hood, so, that we can add that support to the ko project🙋🏻‍♂️

I'm not opposed, but I think that's a separate issue. I'd like to make sure that Syft's SBOM of ko and ko's SBOM of ko don't disagree. 🙃

imjasonh avatar Dec 22 '21 20:12 imjasonh

I removed the --oidc-issuer flag to enable ambient credential detection support in cosign

developer-guy avatar Dec 23 '21 06:12 developer-guy

we only sign the chekcsums.txt file right now, I think it is enough for verifying sha256 of the files has not been tampered with but, the final decision belongs to @imjasonh, let's ask that to him and wait for his response, then according to his response, maybe we can start signing tar files instead of just checksums.txt file. WDYT @shibumi?

You misunderstood me. The problem is: If you do not generate source tarballs with goreleaser, goreleaser will not create a source tarball for the project. Instead, Github will create the source tarball, but there will be no checksum file for the source tarball.

shibumi avatar Dec 23 '21 09:12 shibumi

kindly ping @imjasonh 🙋🏻‍♂️

developer-guy avatar Jan 25 '22 17:01 developer-guy

This Pull Request is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.

github-actions[bot] avatar Apr 26 '22 01:04 github-actions[bot]

kindly ping @imjasonh

developer-guy avatar May 10 '22 08:05 developer-guy

Rebased, updated. Test release: https://github.com/Dentrax/ko/releases/tag/v0.0.9

Dentrax avatar May 10 '22 08:05 Dentrax

kindly ping @imjasonh

developer-guy avatar Jun 06 '22 05:06 developer-guy

I think with #730 we have a fair assurance that the artifacts that we've released have come from reliable sources and are tamper-evident. I'll close this unless folks think there's more we should do to gain more assurance.

imjasonh avatar Aug 19 '22 14:08 imjasonh