Sign meilisearch docker image #2179
Comments
curquiza
added
enhancement
|
We should look into that: https://github.com/sigstore/cosign |
|
Hello, Would you be open to a PR signing your Docker image using Cosign with the keyless mode? It is still marked as experimental since the Sigstore Public Good instance is not yet considered GA (should happen soon(ish), Rekor is currently at the 1.0 RC). That does not prevent you to use a key you manage afterwards, it will be a one line addition to the GitHub Actions file. Also note we could also use Cosign to sign the binaries associated to your releases. |
|
Hello @LeSuisse I'm really sorry for the late answer, I missed this notification!
Yes please! 😊
I'm not sure I really understand this part of your comment, can you detail it? 😊
Oh would be a good addition! |
|
Thanks for the confirmation. I will open a PR by the end of this week or the next one :) .
The keyless mode of Cosign is still marked as experimental but since my last message the experimental flag is being removed (sigstore/cosign#2387) so it will not really be an issue. |
Cosign keyless mode makes possible to sign the container image using the OIDC Identity Tokens provided by GitHub Actions [0][1]. The signature is published to the registry storing the image and to the public Rekor transparency log instance [2]. Cosign keyless mode has already been adopted by some major projects like Kubernetes [3]. The image signature can be manually verified using: ``` $ COSIGN_EXPERIMENTAL=1 cosign verify <image_name> ``` See meilisearch#2179. Note that a similar approach can be used to sign the release binaries. [0] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect [1] https://docs.sigstore.dev/cosign/openid_signing [2] https://docs.sigstore.dev/rekor/overview [3] https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/#verifying-image-signatures
Cosign keyless mode makes possible to sign the container image using the OIDC Identity Tokens provided by GitHub Actions [0][1]. The signature is published to the registry storing the image and to the public Rekor transparency log instance [2]. Cosign keyless mode has already been adopted by some major projects like Kubernetes [3]. The image signature can be manually verified using: ``` $ COSIGN_EXPERIMENTAL=1 cosign verify <image_name> ``` See meilisearch#2179. Note that a similar approach can be used to sign the release binaries. [0] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect [1] https://docs.sigstore.dev/cosign/openid_signing [2] https://docs.sigstore.dev/rekor/overview [3] https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/#verifying-image-signatures
Cosign keyless mode makes possible to sign the container image using the OIDC Identity Tokens provided by GitHub Actions [0][1]. The signature is published to the registry storing the image and to the public Rekor transparency log instance [2]. Cosign keyless mode has already been adopted by some major projects like Kubernetes [3]. The image signature can be manually verified using: ``` $ COSIGN_EXPERIMENTAL=1 cosign verify <image_name> ``` See meilisearch#2179. Note that a similar approach can be used to sign the release binaries. [0] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect [1] https://docs.sigstore.dev/cosign/openid_signing [2] https://docs.sigstore.dev/rekor/overview [3] https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/#verifying-image-signatures
We would like to make our official docker image signed
Example of sources: https://betterprogramming.pub/docker-content-trust-security-digital-signatures-eeae9348140d
The text was updated successfully, but these errors were encountered: