connaisseur
connaisseur copied to clipboard
Community Attestation Service integration
Community Attestation Service integration
Description
Adds possibility to run CAS as signing solution.
Currently works with images that have SHA256 digest
Checklist
- [x] PR is rebased to/aimed at branch
develop
- [x] PR follows Contributing Guide
- [ ] Added tests (if necessary)
- [x] Extended README/Documentation (if necessary) - extended README with link to CAS
- [ ] Adjusted versions of image and Helm chart in
values.yaml
andChart.yaml
(if necessary)
Please point me what should i change/extend in order to make this PR mergeable
@Razikus awesome idea on first sight :rocket: should I support in further tests and points to add stuff or just point you in the right direction?
thanks for contributing :pray:
Hello!
It depends on you :) I would really appreciate support, but you can also just point things that I should change/make and I can implement
One of the question that i have - could we extract digest from image that is not marked with digest? It would allow CAS to actually verify all images then
@Razikus When I gave it a first brief test, I was not able to get it to run. Would you have a minimal documentation of how to run with CAS? this will be needed in any case to have a documentation page as for other validators: https://github.com/sse-secure-systems/connaisseur/tree/master/docs/validators . Feel free to add your own, based on the other examples.
I would take some time for testing and checking, specifically as it also introduces further dependencies and I'd like to understand a bit more about things :slightly_smiling_face:
Sure no problem. I will add update docs in next week
Currently CAS integration works only with SHA256, so that's how you should pass image
- Grab your API key from https://cas.codenotary.com/
- Download binary from https://github.com/codenotary/cas/releases/tag/v1.0.2
- Notarize hash of image with
./cas-v1.0.2-linux-amd64-static notarize --api-key YOURAPIKEY --hash HASH --name ANYASSETNAME
- Then you can deploy your Connaisseur with values below. Your email is actually your signer ID in CAS
- name: default
type: cas
signerId: youremail