diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c510383..06df724 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -103,12 +103,15 @@ rootfs:secure: - vm before_script: - pacman -Syu --noconfirm podman + id_tokens: + SIGSTORE_ID_TOKEN: + aud: sigstore script: - podman build -f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP" -t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" "$CI_PROJECT_DIR/output" - - podman push "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" + - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" image:build: extends: .image @@ -120,6 +123,7 @@ image:build: before_script: - pacman -Syu --noconfirm podman - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" + - 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml' image:build:secure: extends: .image @@ -134,6 +138,7 @@ image:build:secure: before_script: - pacman -Syu --noconfirm podman - podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY" + - 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml' # Build and publish to the Arch Linux group namespaces: # https://hub.docker.com/r/archlinux/archlinux @@ -166,11 +171,11 @@ image:publish:secure: - podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP" - podman tag "archlinux:$GROUP-$BUILD_VERSION" "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman push "docker.io/archlinux/archlinux:$GROUP" - - podman push "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" + - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman push "quay.io/archlinux/archlinux:$GROUP" - - podman push "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" + - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - podman push "ghcr.io/archlinux/archlinux:$GROUP" - - podman push "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" + - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "ghcr.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - if [[ "$GROUP" == "base" ]]; then podman tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:latest"; podman tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:latest"; diff --git a/README.md b/README.md index aaf6ce6..2cd98d9 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,15 @@ While the images are regularly kept up to date it is strongly recommended running `pacman -Syu` right after starting a container due to the rolling release nature of Arch Linux. +All the images, with the exception of the official DockerHub library image, are +signed by using [cosign's keyless signing][openid-signing]. The images can be +verified with one of the following commands: +```sh +$ cosign verify docker.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq . +$ cosign verify quay.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq . +$ cosign verify ghcr.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq . +``` + ## Principles * Provide the Arch experience in a Docker image * Provide the simplest but complete image to `base` and `base-devel` on a regular basis @@ -90,6 +99,8 @@ Development images are uploaded to our [quay-containers]: https://quay.io/repository/archlinux/archlinux [ghcr-containers]: https://github.com/archlinux/archlinux-docker/pkgs/container/archlinux +[openid-signing]: (https://docs.sigstore.dev/cosign/openid_signing/) + [self]: https://gitlab.archlinux.org/archlinux/archlinux-docker [in-tree-CI]: https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/.gitlab-ci.yml diff --git a/sigstore-param-file.yaml b/sigstore-param-file.yaml new file mode 100644 index 0000000..cf5b7c6 --- /dev/null +++ b/sigstore-param-file.yaml @@ -0,0 +1,6 @@ +fulcio: + fulcioURL: "https://fulcio.sigstore.dev" + oidcMode: "staticToken" + oidcIssuerURL: "https://gitlab.archlinux.org" + oidcIDToken: "TEMPLATE_OIDC_ID_TOKEN" +rekorURL: "https://rekor.sigstore.dev"