github/workflows: Sign Ubuntu and Arch images using cosign #1440
Conversation
travier
force-pushed
the
github-workflows-sign
branch
from
8383870
to
7e84a15
Compare
travier
changed the title
|
Build failed. ❌ unit-test FAILURE in 6m 49s |
- Use a unified workflow for both PR & Push jobs - Build using buildah & push with podman Signed-off-by: Timothée Ravier <tim@siosm.fr>
travier
force-pushed
the
github-workflows-sign
branch
from
7e84a15
to
1f09b2a
Compare
|
Would |
|
Build succeeded. ✔️ unit-test SUCCESS in 5m 41s |
This currently only works with podman with the following setup: https://github.com/toolbx-images/images#verifying-sigstore-container-signatures-with-podman |
This looks like something that |
Toolbox calls out to podman to pull images. It does not do it by itself. Thus why setting it up for podman makes it work. One option would be to ask for the podman maintainers to extend this format to be able to include drop-ins for example in the policy to let packages add their own keys & policy for example. But that might be difficult to do safely. |
Ah, I see It actually shells out to podman instead of using the underlying Go libraries. Obviously a bunch would have to be rewritten but it would offer more flexibility. |
- Use a unified workflow for both PR & Push jobs - Build using buildah & push with podman Signed-off-by: Timothée Ravier <tim@siosm.fr>
Signed-off-by: Timothée Ravier <tim@siosm.fr>
travier
force-pushed
the
github-workflows-sign
branch
from
1f09b2a
to
3fd1365
Compare
|
Build succeeded. ✔️ unit-test SUCCESS in 6m 35s |
I see that the JSON is documented in
I see that on Fedora, the I wonder if we can add the It looks like |
|
Let's merge #1439 first before we look at this one? |
This is the whole question: Who should generate and store a backup of the key? Should this be a Fedora key? I don't think there are cosign keys in Fedora infra or support for cosign there yet. |
I think yes, we are, but using GPG keys.
Not sure but I don't think they are signed. They don't show up as signed in https://quay.io/repository/fedora/fedora?tab=tags
That coud be another option but that would also likely need discussion with the podman folks. |
Yes, definitely. I was away for the past week, and I threw some questions that came to me while I was gone. |
If we consider only the images for Arch Linux and Ubuntu, then maybe we can do the same thing as you were doing before for them at github.com/toolbx-images/images? Clearly, I don't know much about cosign, so I will just follow your lead. I only brought up the Fedora and RHEL images to understand the broader status quo, but we don't have to solve them as part of this pull request.
I see. I think I need to read up to understand what cosign versus GPG means, and how they compare, etc.. :) |
TL;DR: cosign (read this as sigstore) intends to create ephemeral short-lived keys through workload identities or Open-ID Connect identities. They are tied to the fulcio CA and all signatures are appended to a Transparency Log which will allows you detect signing key misuse. You can also sign with your own keys if you want. In comparison GnuPG is just a signature. |
Based on / waiting for #1439
Needs a key to be generated and imported as secret.