contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

sign Contour builds

Open xaleeks opened this issue 4 years ago • 4 comments

When we have bandwidth, let’s gpg sign our builds with something like OpenPGP for better verifcation. This can be signed by any of project Contour’s core maintainers.

The user can then download an *.asc openPGP key as part of the release artifacts on github to verify that the download is indeed genuine. It’s best practice that the signer of the builder should use a CNCF domain email and not a company specific one. Would be ideal to use the email for identifying maintainer membership.

xaleeks avatar Mar 02 '21 19:03 xaleeks

This is one of the requirements for the CII Silver badge https://bestpractices.coreinfrastructure.org/en/criteria/1?details=true&rationale=true

“The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public.”

Tagging it as a 1.20 candidate for us to discuss

xaleeks avatar Sep 08 '21 04:09 xaleeks

We should definitely do this, but as the only artifacts we actually provide are container images, we will need to figure out signing those images, possibly using https://github.com/sigstore/cosign or similar.

youngnick avatar Sep 09 '21 02:09 youngnick

You’re right, we don’t ship any kind of installer. I was thinking of a quick way to just sign the release bundle as a whole indicating that it did come from the maintainer team, rather than signing every image because it puts onus on the end user somewhat to verify every artifact.

We can give Cosign a try if we have the bandwidth, it’s picking up some steam in the community. I saw a PR in kubernetes release to use cosign for image signing as well

Does cosign come with its own client for verifying signatures, or are these loads of clients on the market already?

xaleeks avatar Sep 20 '21 01:09 xaleeks

I think that there's a bunch more infrastructure that needs to be provided for the signatures to be used by a Kubernetes cluster (like Notary, registry support etc), but it seems like the mechanisms for storing the signatures in the repo are reasonably standard, so this would be step 1 of users being able to trust the supply chain.

youngnick avatar Sep 20 '21 01:09 youngnick

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Dec 17 '23 00:12 github-actions[bot]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Jan 25 '24 00:01 github-actions[bot]