Skip to content

Commit

Permalink
feat: add verify check to signed container images
Browse files Browse the repository at this point in the history
verify signatures for signed images
  • Loading branch information
BobyMCbobs authored and ardrigh committed Oct 9, 2023
1 parent a35fdd7 commit d41d1ef
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 1 deletion.
15 changes: 15 additions & 0 deletions .github/workflows/presubmit-signed-images-are-signed.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: presubmit signed images are signed
on:
pull_request: {}
workflow_dispatch: {}
jobs:
presubmit-signed-images-are-signed:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: check signed images are signed as expected
run: |
yq -r e '.sync[] | select(.sourceSignature != null) | .source + " " + .sourceSignature.issuerRegExp + " " + .sourceSignature.subjectRegExp' -o json < ./config.yaml \
| xargs -n 1 -l bash -c 'cosign verify -o text --certificate-identity-regexp "$2" --certificate-oidc-issuer-regexp "$1" "$0"'
8 changes: 8 additions & 0 deletions .github/workflows/sync.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,14 @@ jobs:
) | column -t
echo "source=${SOURCE_DIGEST}" >> $GITHUB_OUTPUT
echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT
- name: verify-signature
if: ${{ (steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true) && fromJSON(toJSON(matrix)).sourceSignature != null }}
env:
SOURCE: ${{ fromJSON(toJSON(matrix)).source }}
SUBJECT: ${{ fromJSON(toJSON(matrix)).sourceSignature.subjectRegExp }}
ISSUER: ${{ fromJSON(toJSON(matrix)).sourceSignature.issuerRegExp }}
run: |
cosign verify -o text --certificate-identity-regexp "$SUBJECT" --certificate-oidc-issuer-regexp "$ISSUER" "$SOURCE"
- name: copy
if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }}
env:
Expand Down
26 changes: 25 additions & 1 deletion config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,13 @@ sync:
# yq e .sync[].source ./config.yaml | xargs -n 1 -I{} sh -c 'printf "{} => "; crane digest {}'
# NOTE find architectures of destination images
# < config.yaml yq e '.sync[].destination' | xargs -I{} sh -c 'printf "{} " && crane manifest {} | jq -e ".manifests | length | . > 1" && crane manifest {} | jq .manifests[].platform.architecture | xargs'
# NOTE use the following command to check each image for supply chain security related artifacts
# yq e .sync[].source < ./config.yaml | xargs -n 1 -I{} -P 1000 cosign tree {}
# NOTE use the following command to determine how an image was signed
# cosign verify -o text --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' IMAGE
# NOTE use the following command to verify all signed images
# yq -r e '.sync[] | select(.sourceSignature != null) | .source + " " + .sourceSignature.issuerRegExp + " " + .sourceSignature.subjectRegExp' -o json < ./config.yaml \
# | xargs -n 1 -l bash -c 'cosign verify -o text --certificate-identity-regexp "$2" --certificate-oidc-issuer-regexp "$1" "$0"'
- source: docker.io/library/alpine:3.18@sha256:02bb6f428431fbc2809c5d1b41eab5a68350194fb508869a33cb1af4444c9b11
destination: ghcr.io/geonet/base-images/alpine:3.18 # latest alpine
- source: docker.io/redhat/ubi8:8.8@sha256:a7143118671dfc61aca46e8ab9e488500495a3c4c73a69577ca9386564614c13
Expand Down Expand Up @@ -34,12 +41,26 @@ sync:
- source: docker.io/golang:1.21.1-alpine3.18@sha256:1c9cc949513477766da12bfa80541c4f24957323b0ee00630a6ff4ccf334b75b
destination: ghcr.io/geonet/base-images/go:1.21 # until ko has been fully adopted
- source: cgr.dev/chainguard/static:latest@sha256:da9822ad6f973e40e24e75133b08ae874900766873ecd03e58f7f630ccea898c
sourceSignature:
issuerRegExp: https://token.actions.githubusercontent.com
subjectRegExp: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
destination: ghcr.io/geonet/base-images/static:latest
- source: cgr.dev/chainguard/nginx:latest@sha256:8c05680b8a70b49013f9011cba5b50b26683e3360280a6065d30ef0cd8a50524 # use for Go base images
- source: cgr.dev/chainguard/nginx:latest@sha256:8c05680b8a70b49013f9011cba5b50b26683e3360280a6065d30ef0cd8a50524
sourceSignature:
issuerRegExp: https://token.actions.githubusercontent.com
subjectRegExp: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
destination: ghcr.io/geonet/base-images/nginx:latest
- source: cgr.dev/chainguard/node:20@sha256:38dc35af8d4bd8f59c1d8b88999e7dee9746dcee0f375848fb9701f3b61564e5 # latest node
sourceSignature:
issuerRegExp: https://token.actions.githubusercontent.com
subjectRegExp: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
destination: ghcr.io/geonet/base-images/node:20
- source: ghcr.io/geonet/base-images/mkdocs_plus:latest@sha256:d54c497b4ec5cce0c41b84e6afe5e4250c0b6ba499832ee977137f0f5e9c8a77
sourceSignature:
issuerRegExp: https://token.actions.githubusercontent.com
# match signature before and after adopting reusable workflow
# as the identity of the subject changes depending on which workflow it's signed with
subjectRegExp: https://github.com/GeoNet/(base-images/.github/workflows/build.yml@refs/heads/main|Actions/.github/workflows/reusable-docker-build.yml@refs/heads/main)
destination: ghcr.io/geonet/base-images/mkdocs_plus:2023-06-14
- source: ghcr.io/siderolabs/conform:v0.1.0-alpha.27@sha256:60e5c3cac83104077aff44a86518972f92cffb48d06c06486fb1f2711d4eb559
destination: ghcr.io/geonet/base-images/siderolabs-conform:v0.1.0-alpha.27
Expand All @@ -58,6 +79,9 @@ sync:
destination: ghcr.io/geonet/base-images/centos:stream9
auto-update-mutable-tag-digest: true
- source: cgr.dev/chainguard/curl:8.1.2@sha256:73992422b3e634c520483bb0aeda22c405d4701ccf5c2294c71d7f67373301cb
sourceSignature:
issuerRegExp: https://token.actions.githubusercontent.com
subjectRegExp: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
destination: ghcr.io/geonet/base-images/curl:8.1.2
- source: docker.io/owasp/zap2docker-stable:2.11.1@sha256:47ba18f36de06f253e655d26ad78945c6dc24404e58f1c0758293a583bb99ce5
destination: ghcr.io/geonet/base-images/owasp/zap2docker-stable:2.11.1
Expand Down

0 comments on commit d41d1ef

Please sign in to comment.