opentelemetry-collector-releases icon indicating copy to clipboard operation
opentelemetry-collector-releases copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

Start to sign image releases with cosign

Open mattmoor opened this issue 3 years ago • 10 comments
trafficstars

Is your feature request related to a problem? Please describe.

I'd like to be able to verify that the images we are consuming from otel/opentelemetry-collector-contrib on DockerHub were produced by this repo's release automation.

Describe the solution you'd like

I'd like to see the workflow used to publish your images use sigstore/cosign keyless signing to sign the published images, e.g. like the actions sample here.

There are three main pieces to this:

  1. You need id-token: write permissions to generate an identity token for the workflow:
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write
  1. You need to install cosign
      - name: Install cosign
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: 'v1.12.1'
  1. Sign the resulting image:
      - name: Sign the published Docker image
        env:
          COSIGN_EXPERIMENTAL: "true"
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: cosign sign THE_IMAGE_DIGEST

This can then be used with assorted policy controllers to verify that the images published to DockerHub were produced by .github/workflows/build-and-test.yml even if the static DockerHub credentials have been compromised.

Describe alternatives you've considered

You could also use sigstore/cosign to sign the images using a static key pair. However, this requires managing another secret (the signing key), and publishing your own verification key. Some projects (e.g. Google distroless) are signing things both ways, at least for now.

Additional context

No response

mattmoor avatar Sep 29 '22 02:09 mattmoor

If y'all are receptive to this, I'd be happy to send a PR with the above changes to the actions workflow, just let me know.

mattmoor avatar Sep 29 '22 02:09 mattmoor

The published image are in a different repository. Moving this issue there.

bogdandrutu avatar Sep 29 '22 05:09 bogdandrutu

I can help in the implementation

cpanato avatar Sep 29 '22 08:09 cpanato

That would be great, I had this on my radar anyway. We use goreleaser in this project, I believe there's an integration with cosign already.

jpkrohling avatar Sep 29 '22 12:09 jpkrohling

I'm assigning this to @mattmoor. If you need help, ping @cpanato :-)

jpkrohling avatar Sep 29 '22 12:09 jpkrohling

Yep, the implementation should be more straightforward :)

cpanato avatar Sep 29 '22 12:09 cpanato

@cpanato has forgotten more about goreleaser than I will ever know. Carlos, if you want to take this on that'd be fantastic 🙏

mattmoor avatar Sep 29 '22 18:09 mattmoor

PR: https://github.com/open-telemetry/opentelemetry-collector-releases/pull/207

also did others to updates some other things:

  • https://github.com/open-telemetry/opentelemetry-collector-releases/pull/205 for this one, if you are interested to use a distroless base image we can switch that

  • https://github.com/open-telemetry/opentelemetry-collector-releases/pull/206

cpanato avatar Sep 30 '22 14:09 cpanato

I commented in the relevant PR already, but our final images are scratch images already. The alpine base is being used only for build stages.

jpkrohling avatar Oct 03 '22 20:10 jpkrohling

I know that this issue is only about signing images. However, it would be good also to sign executables (especially for Windows and macOS). It looks like sigstore does not handle it. See: https://github.com/sigstore/cosign/issues/2170 and https://github.com/sigstore/fulcio/issues/250.

pellared avatar Aug 10 '23 12:08 pellared