mirrors/archlinux-docker
1
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/archlinux-docker.git synced 2025-08-06 14:17:18 +02:00
Code Issues Projects Releases Wiki Activity

Sign the images with sigstore's fulcio/rekor

Browse Source 
The ecosystem is moving towards sigstore and we are federated with the
public fulcio instance[1], so let's sign our images. Cosign is not used,
but the sigstore feature built into podman, which works basically the
same way as cosign.

[1] https://github.com/sigstore/fulcio/pull/1214

Fix #77
This commit is contained in:
Kristian Klausen 2023-06-23 23:26:39 +02:00 committed by Justin Kromlinger
parent 3be9448db8
commit 8317be4d2d
No known key found for this signature in database
GPG Key ID: 69EF6D9E49A64EB8
3 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.gitlab-ci.yml
View File

@ -103,12 +103,15 @@ rootfs:secure:
- vm - vm
before_script: before_script:
- pacman -Syu --noconfirm podman - pacman -Syu --noconfirm podman
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
script: script:
- podman build - podman build
-f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP" -f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP"
-t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" -t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
"$CI_PROJECT_DIR/output" "$CI_PROJECT_DIR/output"
- podman push "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
image:build: image:build:
extends: .image extends: .image
@ -120,6 +123,7 @@ image:build:
before_script: before_script:
- pacman -Syu --noconfirm podman - pacman -Syu --noconfirm podman
- podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
- 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
image:build:secure: image:build:secure:
extends: .image extends: .image
@ -134,6 +138,7 @@ image:build:secure:
before_script: before_script:
- pacman -Syu --noconfirm podman - pacman -Syu --noconfirm podman
- podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY" - podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY"
- 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
# Build and publish to the Arch Linux group namespaces: # Build and publish to the Arch Linux group namespaces:
# https://hub.docker.com/r/archlinux/archlinux # https://hub.docker.com/r/archlinux/archlinux
@ -166,11 +171,11 @@ image:publish:secure:
- podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP" - podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP"
- podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- podman push "docker.io/archlinux/archlinux:$GROUP" - podman push "docker.io/archlinux/archlinux:$GROUP"
- podman push "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- podman push "quay.io/archlinux/archlinux:$GROUP" - podman push "quay.io/archlinux/archlinux:$GROUP"
- podman push "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- podman push "ghcr.io/archlinux/archlinux:$GROUP" - podman push "ghcr.io/archlinux/archlinux:$GROUP"
- podman push "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- if [[ "$GROUP" == "base" ]]; then - if [[ "$GROUP" == "base" ]]; then
podman tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:latest"; podman tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:latest";
podman tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:latest"; podman tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:latest";

7
README.md
View File

@ -21,6 +21,13 @@ While the images are regularly kept up to date it is strongly recommended
running `pacman -Syu` right after starting a container due to the rolling running `pacman -Syu` right after starting a container due to the rolling
release nature of Arch Linux. release nature of Arch Linux.
All the images, with the exception of the official DockerHub library image, are signed by using [cosign's keyless signing](https://docs.sigstore.dev/cosign/openid_signing/). The images can be verified with one of the following commands:
```
$ cosign verify docker.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq .
$ cosign verify quay.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq .
$ cosign verify ghcr.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq .
```
## Principles ## Principles
* Provide the Arch experience in a Docker image * Provide the Arch experience in a Docker image
* Provide the simplest but complete image to `base` and `base-devel` on a regular basis * Provide the simplest but complete image to `base` and `base-devel` on a regular basis

6
sigstore-param-file.yaml Normal file
View File

@ -0,0 +1,6 @@
fulcio:
fulcioURL: "https://fulcio.sigstore.dev"
oidcMode: "staticToken"
oidcIssuerURL: "https://gitlab.archlinux.org"
oidcIDToken: "TEMPLATE_OIDC_ID_TOKEN"
rekorURL: "https://rekor.sigstore.dev"