mirrors/archlinux-docker
1
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/archlinux-docker.git synced 2025-08-05 21:57:13 +02:00
Code Issues Projects Releases Wiki Activity

Sign the images with sigstore's fulcio/rekor

Browse Source 
The ecosystem is moving towards sigstore and we are federated with the
public fulcio instance[1], so let's sign our images. Cosign is not used,
but the sigstore feature built into podman, which works basically the
same way as cosign.

[1] https://github.com/sigstore/fulcio/pull/1214

Fix #77
This commit is contained in:
Kristian Klausen 2023-06-23 23:26:39 +02:00 committed by Justin Kromlinger
parent 3be9448db8
commit 8317be4d2d
No known key found for this signature in database
GPG Key ID: 69EF6D9E49A64EB8
3 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.gitlab-ci.yml
View File

@ -103,12 +103,15 @@ rootfs:secure:
- vm
before_script:
- pacman -Syu --noconfirm podman
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
script:
- podman build
-f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP"
-t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
"$CI_PROJECT_DIR/output"
- podman push "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
- podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
image:build:
extends: .image
@ -120,6 +123,7 @@ image:build:
before_script:
- pacman -Syu --noconfirm podman
- podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
- 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
image:build:secure:
extends: .image
@ -134,6 +138,7 @@ image:build:secure:
before_script:
- pacman -Syu --noconfirm podman
- podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY"
- 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
# Build and publish to the Arch Linux group namespaces:
# https://hub.docker.com/r/archlinux/archlinux
@ -166,11 +171,11 @@ image:publish:secure:
- podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP"
- podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- podman push "docker.io/archlinux/archlinux:$GROUP"
- podman push "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- podman push "quay.io/archlinux/archlinux:$GROUP"
- podman push "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- podman push "ghcr.io/archlinux/archlinux:$GROUP"
- podman push "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
- if [[ "$GROUP" == "base" ]]; then
podman tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:latest";
podman tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:latest";

7
README.md
View File

@ -21,6 +21,13 @@ While the images are regularly kept up to date it is strongly recommended
running `pacman -Syu` right after starting a container due to the rolling
release nature of Arch Linux.
All the images, with the exception of the official DockerHub library image, are signed by using [cosign's keyless signing](https://docs.sigstore.dev/cosign/openid_signing/). The images can be verified with one of the following commands:
```
$ cosign verify docker.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq .
$ cosign verify quay.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq .
$ cosign verify ghcr.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq .
```
## Principles
* Provide the Arch experience in a Docker image
* Provide the simplest but complete image to `base` and `base-devel` on a regular basis

6
sigstore-param-file.yaml Normal file
View File

@ -0,0 +1,6 @@
fulcio:
fulcioURL: "https://fulcio.sigstore.dev"
oidcMode: "staticToken"
oidcIssuerURL: "https://gitlab.archlinux.org"
oidcIDToken: "TEMPLATE_OIDC_ID_TOKEN"
rekorURL: "https://rekor.sigstore.dev"