Skip to content

Commit

Permalink
enable signing transaprency by default
Browse files Browse the repository at this point in the history 
Signed-off-by: saisatishkarra <[email protected]>
  • Loading branch information
@saisatishkarra
saisatishkarra committed Oct 17, 2023
1 parent 9821848 commit 1c55a7e
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 21 deletions.
5 changes: 2 additions & 3 deletions .github/workflows/docker-image-sign.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,11 +80,10 @@ jobs:
env:
RELEASE_TAG: kongcloud/security-test-repo:v1
with:
cosign_output_prefix: v1
cosign_output_prefix: v1 # Optional
local_save_cosign_assets: true # Optional
signature_registry: kongcloud/security-test-repo-sig-pub
tags: ${{ env.RELEASE_TAG }}
image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
rekor_transparency: true
local_save_cosign_assets: true
registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
registry_password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}
17 changes: 5 additions & 12 deletions security-actions/sign-docker-image/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,14 @@ permissions:
- Generate an signature based on keyless identities using `Github` OIDC provider within workflows
- Be authenicated access to publish docker hub registry
- Uploads the [mapping identities](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md) to Public Rekor Instance logged forever.
- **Contain senstitive information for private repositories**; Yet no way to protect PII being uploaded / masked.
s
- **May Contain senstitive information for private repositories**; Yet no way to protect PII being uploaded / masked.

#### Verification
- `cosign verify` needs to have:
- access to public rekor instance
- authenicated access to private docker hub registry
- un-authenticated access to public registry
- use `--insecure-ignore-tlog` to skip verifying against rekor if transparency is optional


#### Input specification

#### Parameters
Expand All @@ -52,10 +51,6 @@ s
image_digest:
description: 'specify single sha256 digest associated with the specified image_registries'
required: true
rekor_transparency:
description: 'rekor during publishing / verification transaprency for private repositories'
default: false
required: false
registry_username:
description: 'docker username to login against private docker registry'
required: false
Expand Down Expand Up @@ -123,15 +118,14 @@ COSIGN_REPOSITORY=kong/notary cosign verify -a repo="Kong/kong-ee" -a workflow="
echo "manifest_sha=$manifest_sha" >> $GITHUB_OUTPUT
- name: Sign Image digest
id: sign_image
id: sign_image_pre_release
if: steps.image_manifest_metadata.outputs.manifest_sha != ''
uses: ./security-actions/sign-docker-image
with:
cosign_output_prefix: ubuntu-23-10
signature_registry: kongcloud/security-test-repo-sig-pub
tags: ${{ env.TAGS }}
image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
rekor_transparency: true
local_save_cosign_assets: true
registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
registry_password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}
Expand All @@ -146,7 +140,7 @@ COSIGN_REPOSITORY=kong/notary cosign verify -a repo="Kong/kong-ee" -a workflow="
done
- name: Sign Image digest
id: sign_image_v1
id: sign_image_promotion
if: steps.image_manifest_metadata.outputs.manifest_sha != ''
uses: ./security-actions/sign-docker-image
env:
Expand All @@ -156,7 +150,6 @@ COSIGN_REPOSITORY=kong/notary cosign verify -a repo="Kong/kong-ee" -a workflow="
signature_registry: kongcloud/security-test-repo-sig-pub
tags: ${{ env.RELEASE_TAG }}
image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
rekor_transparency: true
local_save_cosign_assets: true
registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
registry_password: ${{ secrets.GHA_DOCKERHUB_PUSH_TOKEN }}
Expand Down
5 changes: 0 additions & 5 deletions security-actions/sign-docker-image/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,6 @@ inputs:
image_digest:
description: 'specify single sha256 digest associated with the specified image_registries'
required: true
rekor_transparency:
description: 'Use rekor during publishing / verification of transaprency publicly. When false, the input local_save_cosign_assets must be enabled to generate signatures and certs locally for verification'
default: true
required: false
registry_username:
description: 'docker username to login against private docker registry'
required: false
Expand All @@ -46,7 +42,6 @@ runs:
env:
LOCAL_SAVE_COSIGN_ASSETS: ${{ inputs.local_save_cosign_assets }}
ASSET_PREFIX: ${{ inputs.cosign_output_prefix }}
REKOR_TRANSPARENCY: ${{ inputs.rekor_transparency }}
run: $GITHUB_ACTION_PATH/scripts/cosign-metadata.sh

- name: Install Cosign
Expand Down
4 changes: 3 additions & 1 deletion security-actions/sign-docker-image/scripts/cosign-metadata.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,10 @@ set -euo pipefail
readonly signature_ext=".sig"
readonly signing_cert_ext=".crt"

readonly rekor_transparency="true"

# Always Recurisvely sign one/ all manifest digests for docker manifest distribution /list mediaType
signing_args="--yes --recursive --tlog-upload=${REKOR_TRANSPARENCY}"
signing_args="--yes --recursive --tlog-upload=${rekor_transparency}"

# if [[ ${MULTI_PLATFORM} ]]; then
# signing_args+=" --recursive"
Expand Down

0 comments on commit 1c55a7e

Please sign in to comment.