Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign container image using Cosign in keyless mode #3265

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Sign container image using Cosign in keyless mode #3265

wants to merge 1 commit into from

Conversation

LeSuisse
Copy link

Pull Request

Related issue

Fixes #2179

What does this PR do?

Cosign keyless mode makes possible to sign the container image using the OIDC Identity Tokens provided by GitHub Actions [0][1]. The signature is published to the registry storing the image and to the public Rekor transparency log instance.

Cosign keyless mode has already been adopted by some major projects like Kubernetes.

The image signature can be manually verified using:

$ COSIGN_EXPERIMENTAL=1 cosign verify <image_name>

For example using an image I published to test this change:

$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/lesuisse/meilisearch/getmeili/meilisearch:nightly

Verification for ghcr.io/lesuisse/meilisearch/getmeili/meilisearch:nightly --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/lesuisse/meilisearch/getmeili/meilisearch"},"image":{"docker-manifest-digest":"sha256:987a847d498f7860f05c319867a9c5efd82785cf149a05947f6918c60666dd14"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://token.actions.githubusercontent.com","1.3.6.1.4.1.57264.1.2":"workflow_dispatch","1.3.6.1.4.1.57264.1.3":"fad67a1015209aa9ab966c98ca25a1253b7c3622","1.3.6.1.4.1.57264.1.4":"Publish tagged images to Docker Hub","1.3.6.1.4.1.57264.1.5":"LeSuisse/meilisearch","1.3.6.1.4.1.57264.1.6":"refs/heads/publish-docker-images-ghcr.io","Bundle":{"SignedEntryTimestamp":"MEUCIDpneNSRivFOlSwqmE+JPHlbcsphIPtvpQfsCxsnXUb0AiEA9lMMM5zeE5YLg1JQXoKm/G3DnniIIm3S7ljluHRcNB0=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkMzAzNzdkMjc5MjM3Zjg4OWNhYTIwNmI3NGEyMTIzZWY2ZWE3MTU2ZjFiYzc5NDAyMTg5MDYwODU0ZDdlNDY2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQnFZV1Y2WVNLL0JpdUQ0Qm55ci9PN0RMRzZOYjdUR1N6b3grc05aOEEwcEFpQndHenpmekVQRldpbEVmU21TcnhqOHJWUnNvdHA5aFlxd1FDdnVBSk5UdlE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVVkJla05EUVRScFowRjNTVUpCWjBsVlNGQmFXRlF3UTNkV1QwTjFhMk4xYVZFNGREWlpTa3A0VDFWWmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEplRTFxU1hkTlZGVjZUbnBSTTFkb1kwNU5ha2w0VFdwSmQwMVVWVEJPZWxFelYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZ0YVRSWlVucFpNVmszUTFoMFpqVldia1JPWkZwQ1JHaFpaekIyZVZkU01rTXdVVGtLVG1aNlkzZHFaazh3TTBKRlZXWkxhRVJLZW01eVFXTkNZMXB1Um1kTk1XUnpjRlJXWm10RE0zYzFLMjVuYWtZMlVUWlBRMEZ4WTNkblowdHFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZETVZrekNsQkRkalZZVmxoME1ETlpMMFJXYURjNFdsSTNUSFZSZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJkWmMwZEJNVlZrUlZGRlFpOTNVMEpuUkVJcmFHNTRiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RsUkhWbFJrVjJ4Nll6SlZkZ3BpVjFad1lrZHNlbHBYUm5sWk1tZDJURzFrY0dSSGFERlphVGt6WWpOS2NscHRlSFprTTAxMlkwaFdhV0pIYkhwaFF6RnJZakpPY2xwWVNYUmhWekZvQ2xveVZucE1ibXgwWWtWQ2VWcFhXbnBNTW1oc1dWZFNla3d6UWpGWmJYaHdZekpuZEZwSE9XcGhNbFo1VEZkc2RGbFhaR3hqZVRGdVlVZE9lVXh0YkhZS1RVUnJSME5wYzBkQlVWRkNaemM0ZDBGUlJVVkxNbWd3WkVoQ2VrOXBPSFprUnpseVdsYzBkVmxYVGpCaFZ6bDFZM2sxYm1GWVVtOWtWMG94WXpKV2VRcFpNamwxWkVkV2RXUkROV3BpTWpCM1NIZFpTMHQzV1VKQ1FVZEVkbnBCUWtGblVWSmtNamw1WVRKYWMySXpaR1phUjJ4NlkwZEdNRmt5WjNkT1oxbExDa3QzV1VKQ1FVZEVkbnBCUWtGM1VXOWFiVVpyVG1wa2FFMVVRWGhPVkVsM1QxZEdhRTlYUm1sUFZGa3lXWHByTkZreVJYbE9WMFY0VFdwVmVsbHFaR29LVFhwWmVVMXFRWGhDWjI5eVFtZEZSVUZaVHk5TlFVVkZRa05PVVdSWFNuTmhXRTV2U1VoU2FGb3laR3hhUTBKd1lsZEdibHBZVFdka1J6aG5Va2M1YWdwaE1sWjVTVVZvTVZscVFXbENaMjl5UW1kRlJVRlpUeTlOUVVWR1FrSlNUVnBXVGpGaFdFNTZXbE01ZEZwWGJITmhXRTVzV1ZoS2FtRkVRVEpDWjI5eUNrSm5SVVZCV1U4dlRVRkZSMEpEYUhsYVYxcDZUREpvYkZsWFVucE1NMEl4V1cxNGNHTXlaM1JhUnpscVlUSldlVXhYYkhSWlYyUnNZM2t4Ym1GSFRua0tURzFzZGsxSlIwdENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpSQlNGbEJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaUXBRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIUmsxRE9FeFdaMEZCUWtGTlFWSjZRa1pCYVVGTldWaDFXRk4xYlZOSGJUaE9URlpPVVcxalkyeE1TVEp3Q2pkdmEySmhVbnBXU21wc2VESmhTVzV4ZDBsb1FVNTBjbG81UW5aMFMzZFJPRWRJTWtkVFVVOXpNRmxpY3prNE9FMTFSVVF6WkZCQlVWVk5UVU5UVEdRS1RVRnZSME5EY1VkVFRUUTVRa0ZOUkVFeWEwRk5SMWxEVFZGRVNYazBXWEJFUkZoeFIxZDFVVmhTVEhFd2RsRnNWSFpKWWxKUkwxRXpUR1ZNTldsRldRcFdPWE56WkdwVVFqRXpZMGhOVUd4M1RGaHdZa0ZVY1hoSGNrbERUVkZETjJ3eVJVSk5WRk5CTkM5cFlYQnZPV0ptWjNkb0szZFRMekJ4VEVKM2QxSkRDbEoxY2tjM0syUk1lV1JtUzBwS1MyMVBLM1JWYzNFMFV5dHZjbEJzYmxrOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19","integratedTime":1671550669,"logIndex":9487088,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com","Subject":"https://github.com/LeSuisse/meilisearch/.github/workflows/publish-docker-images.yml@refs/heads/publish-docker-images-ghcr.io","githubWorkflowName":"Publish tagged images to Docker Hub","githubWorkflowRef":"refs/heads/publish-docker-images-ghcr.io","githubWorkflowRepository":"LeSuisse/meilisearch","githubWorkflowSha":"fad67a1015209aa9ab966c98ca25a1253b7c3622","githubWorkflowTrigger":"workflow_dispatch"}}]

Note that a similar approach can be used to sign the release binaries.

PR checklist

Please check if your PR fulfills the following requirements:

  • Does this PR fix an existing issue, or have you listed the changes applied in the PR description (and why they are needed)?
  • Have you read the contributing guidelines?
  • Have you made sure that the title is accurate and descriptive of the changes?

Thank you so much for contributing to Meilisearch!

@LeSuisse
Sign container image using Cosign in keyless mode
3b53b2b 
Cosign keyless mode makes possible to sign the container image using the
OIDC Identity Tokens provided by GitHub Actions [0][1].
The signature is published to the registry storing the image and to the
public Rekor transparency log instance [2].

Cosign keyless mode has already been adopted by some major projects like
Kubernetes [3].

The image signature can be manually verified using:
```
$ COSIGN_EXPERIMENTAL=1 cosign verify <image_name>
```

See meilisearch#2179.
Note that a similar approach can be used to sign the release binaries.

[0] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
[1] https://docs.sigstore.dev/cosign/openid_signing
[2] https://docs.sigstore.dev/rekor/overview
[3] https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/#verifying-image-signatures
@curquiza curquiza self-requested a review December 20, 2022 16:45
@curquiza
Copy link
Member

Hello @LeSuisse thanks a lot for your PR ❤️
We would rather not use an experimental feature in our production process. I might have miss understood, but I thought this feature will not be experimental soon?

@curquiza curquiza added the tooling Not directly project related, like Docker, Homebrew... label Dec 21, 2022
@LeSuisse
Copy link
Author

Yes the "experimental" flag is going to be removed with Cosign 2.0.0 which is currently in RC, see https://github.com/sigstore/cosign/releases/tag/v2.0.0-rc.0

Remove experimental flag from cosign sign and cosign verify (sigstore/cosign#2387)

@curquiza
Copy link
Member

Thanks for your answer, let's wait for v2 then! 😄

Note: this is a prerelease for Cosign 2.0! Feel free to try it out, but know there are many breaking changes from 1.0 and the prereleases may continue to change.

Indeed, we cannot spend time handling breaking changes in our production workflow. Let's keep this PR open in the meantime! 😊

@curquiza curquiza removed their request for review December 21, 2022 16:31
@curquiza
Copy link
Member

curquiza commented Jan 5, 2023

Putting is in a draft in the meantime!

@curquiza curquiza marked this pull request as draft January 5, 2023 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
tooling Not directly project related, like Docker, Homebrew...
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign meilisearch docker image
2 participants
@LeSuisse @curquiza