From 8317be4d2d3d2ebb424d94b78a47de73cbbac338 Mon Sep 17 00:00:00 2001 From: Kristian Klausen Date: Fri, 23 Jun 2023 23:26:39 +0200 Subject: [PATCH] Sign the images with sigstore's fulcio/rekor The ecosystem is moving towards sigstore and we are federated with the public fulcio instance[1], so let's sign our images. Cosign is not used, but the sigstore feature built into podman, which works basically the same way as cosign. [1] https://github.com/sigstore/fulcio/pull/1214 Fix #77 --- .gitlab-ci.yml | 13 +++++++++---- README.md | 7 +++++++ sigstore-param-file.yaml | 6 ++++++ 3 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 sigstore-param-file.yaml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c510383..06df724 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -103,12 +103,15 @@ rootfs:secure: - vm before_script: - pacman -Syu --noconfirm podman + id_tokens: + SIGSTORE_ID_TOKEN: + aud: sigstore script: - podman build -f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP" -t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" "$CI_PROJECT_DIR/output" - - podman push "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" + - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" image:build: extends: .image @@ -120,6 +123,7 @@ image:build: before_script: - pacman -Syu --noconfirm podman - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" + - 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml' image:build:secure: extends: .image @@ -134,6 +138,7 @@ image:build:secure: before_script: - pacman -Syu --noconfirm podman - podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY" + - 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml' # Build and publish to the Arch Linux group namespaces: # https://hub.docker.com/r/archlinux/archlinux @@ -166,11 +171,11 @@ image:publish:secure: - podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP" - podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman push "docker.io/archlinux/archlinux:$GROUP" - - podman push "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" + - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman push "quay.io/archlinux/archlinux:$GROUP" - - podman push "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" + - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman push "ghcr.io/archlinux/archlinux:$GROUP" - - podman push "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" + - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - if [[ "$GROUP" == "base" ]]; then podman tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:latest"; podman tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:latest"; diff --git a/README.md b/README.md index aaf6ce6..64688c3 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,13 @@ While the images are regularly kept up to date it is strongly recommended running `pacman -Syu` right after starting a container due to the rolling release nature of Arch Linux. +All the images, with the exception of the official DockerHub library image, are signed by using [cosign's keyless signing](https://docs.sigstore.dev/cosign/openid_signing/). The images can be verified with one of the following commands: +``` +$ cosign verify docker.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq . +$ cosign verify quay.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq . +$ cosign verify ghcr.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq . +``` + ## Principles * Provide the Arch experience in a Docker image * Provide the simplest but complete image to `base` and `base-devel` on a regular basis diff --git a/sigstore-param-file.yaml b/sigstore-param-file.yaml new file mode 100644 index 0000000..cf5b7c6 --- /dev/null +++ b/sigstore-param-file.yaml @@ -0,0 +1,6 @@ +fulcio: + fulcioURL: "https://fulcio.sigstore.dev" + oidcMode: "staticToken" + oidcIssuerURL: "https://gitlab.archlinux.org" + oidcIDToken: "TEMPLATE_OIDC_ID_TOKEN" +rekorURL: "https://rekor.sigstore.dev"