From 1c55a7e36331802b1b8a839bf4a0967dd2b21fe4 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Mon, 16 Oct 2023 09:52:04 -0500 Subject: [PATCH] enable signing transaprency by default Signed-off-by: saisatishkarra --- .github/workflows/docker-image-sign.yml | 5 ++--- security-actions/sign-docker-image/README.md | 17 +++++------------ security-actions/sign-docker-image/action.yml | 5 ----- .../scripts/cosign-metadata.sh | 4 +++- 4 files changed, 10 insertions(+), 21 deletions(-) diff --git a/.github/workflows/docker-image-sign.yml b/.github/workflows/docker-image-sign.yml index bb586dd6..c71e11cb 100644 --- a/.github/workflows/docker-image-sign.yml +++ b/.github/workflows/docker-image-sign.yml @@ -80,11 +80,10 @@ jobs: env: RELEASE_TAG: kongcloud/security-test-repo:v1 with: - cosign_output_prefix: v1 + cosign_output_prefix: v1 # Optional + local_save_cosign_assets: true # Optional signature_registry: kongcloud/security-test-repo-sig-pub tags: ${{ env.RELEASE_TAG }} image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }} - rekor_transparency: true - local_save_cosign_assets: true registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} registry_password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }} \ No newline at end of file diff --git a/security-actions/sign-docker-image/README.md b/security-actions/sign-docker-image/README.md index 343c0f49..1f485426 100644 --- a/security-actions/sign-docker-image/README.md +++ b/security-actions/sign-docker-image/README.md @@ -22,15 +22,14 @@ permissions: - Generate an signature based on keyless identities using `Github` OIDC provider within workflows - Be authenicated access to publish docker hub registry - Uploads the [mapping identities](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md) to Public Rekor Instance logged forever. - - **Contain senstitive information for private repositories**; Yet no way to protect PII being uploaded / masked. -s + - **May Contain senstitive information for private repositories**; Yet no way to protect PII being uploaded / masked. + #### Verification - `cosign verify` needs to have: - access to public rekor instance - authenicated access to private docker hub registry - un-authenticated access to public registry - - use `--insecure-ignore-tlog` to skip verifying against rekor if transparency is optional - + #### Input specification #### Parameters @@ -52,10 +51,6 @@ s image_digest: description: 'specify single sha256 digest associated with the specified image_registries' required: true - rekor_transparency: - description: 'rekor during publishing / verification transaprency for private repositories' - default: false - required: false registry_username: description: 'docker username to login against private docker registry' required: false @@ -123,7 +118,7 @@ COSIGN_REPOSITORY=kong/notary cosign verify -a repo="Kong/kong-ee" -a workflow=" echo "manifest_sha=$manifest_sha" >> $GITHUB_OUTPUT - name: Sign Image digest - id: sign_image + id: sign_image_pre_release if: steps.image_manifest_metadata.outputs.manifest_sha != '' uses: ./security-actions/sign-docker-image with: @@ -131,7 +126,6 @@ COSIGN_REPOSITORY=kong/notary cosign verify -a repo="Kong/kong-ee" -a workflow=" signature_registry: kongcloud/security-test-repo-sig-pub tags: ${{ env.TAGS }} image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }} - rekor_transparency: true local_save_cosign_assets: true registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} registry_password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }} @@ -146,7 +140,7 @@ COSIGN_REPOSITORY=kong/notary cosign verify -a repo="Kong/kong-ee" -a workflow=" done - name: Sign Image digest - id: sign_image_v1 + id: sign_image_promotion if: steps.image_manifest_metadata.outputs.manifest_sha != '' uses: ./security-actions/sign-docker-image env: @@ -156,7 +150,6 @@ COSIGN_REPOSITORY=kong/notary cosign verify -a repo="Kong/kong-ee" -a workflow=" signature_registry: kongcloud/security-test-repo-sig-pub tags: ${{ env.RELEASE_TAG }} image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }} - rekor_transparency: true local_save_cosign_assets: true registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} registry_password: ${{ secrets.GHA_DOCKERHUB_PUSH_TOKEN }} diff --git a/security-actions/sign-docker-image/action.yml b/security-actions/sign-docker-image/action.yml index 6ee34a01..554ff90b 100644 --- a/security-actions/sign-docker-image/action.yml +++ b/security-actions/sign-docker-image/action.yml @@ -20,10 +20,6 @@ inputs: image_digest: description: 'specify single sha256 digest associated with the specified image_registries' required: true - rekor_transparency: - description: 'Use rekor during publishing / verification of transaprency publicly. When false, the input local_save_cosign_assets must be enabled to generate signatures and certs locally for verification' - default: true - required: false registry_username: description: 'docker username to login against private docker registry' required: false @@ -46,7 +42,6 @@ runs: env: LOCAL_SAVE_COSIGN_ASSETS: ${{ inputs.local_save_cosign_assets }} ASSET_PREFIX: ${{ inputs.cosign_output_prefix }} - REKOR_TRANSPARENCY: ${{ inputs.rekor_transparency }} run: $GITHUB_ACTION_PATH/scripts/cosign-metadata.sh - name: Install Cosign diff --git a/security-actions/sign-docker-image/scripts/cosign-metadata.sh b/security-actions/sign-docker-image/scripts/cosign-metadata.sh index a7c512ef..c152e739 100755 --- a/security-actions/sign-docker-image/scripts/cosign-metadata.sh +++ b/security-actions/sign-docker-image/scripts/cosign-metadata.sh @@ -5,8 +5,10 @@ set -euo pipefail readonly signature_ext=".sig" readonly signing_cert_ext=".crt" +readonly rekor_transparency="true" + # Always Recurisvely sign one/ all manifest digests for docker manifest distribution /list mediaType -signing_args="--yes --recursive --tlog-upload=${REKOR_TRANSPARENCY}" +signing_args="--yes --recursive --tlog-upload=${rekor_transparency}" # if [[ ${MULTI_PLATFORM} ]]; then # signing_args+=" --recursive"