Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signature verification added for kapp-controller artifacts #1417

Closed
wants to merge 2 commits into from

Conversation

rcmadhankumar
Copy link
Contributor

@rcmadhankumar rcmadhankumar commented Dec 11, 2023

What this PR does / why we need it:

Added signature verification for Kapp-controller's release artifacts.

Which issue(s) this PR fixes:

Fixes #1341 #1343

Does this PR introduce a user-facing change?

NONE

Additional Notes for your reviewer:

Release notes will looks like this:

Installation and signature verification

Installation of kctrl

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/rcmadhankumar/kapp-controller/releases/download/v0.0.1/kctrl-linux-amd64
# Move the binary in to your PATH
mv kctrl-linux-amd64 /usr/local/bin/kctrl
# Make the binary executable
chmod +x /usr/local/bin/kctrl

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install kctrl
$ kctrl version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate, and signature
curl -LO https://github.com/rcmadhankumar/kapp-controller/releases/download/v0.0.1/checksums.txt
curl -LO https://github.com/rcmadhankumar/kapp-controller/releases/download/v0.0.1/checksums.txt.pem
curl -LO https://github.com/rcmadhankumar/kapp-controller/releases/download/v0.0.1/checksums.txt.sig

### Verify the checksums file
cosign verify-blob checksums.txt --certificate checksums.txt.pem --signature checksums.txt.sig --certificate-identity-regexp=https://github.com/rcmadhankumar --certificate-oidc-issuer=https://token.actions.githubusercontent.com 

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture:

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

Installation of kapp-controller

kapp-controller can be installed by using kapp

kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/v0.0.1/download/release.yml

or by using kubectl

kubectl deploy -f https://github.com/carvel-dev/kapp-controller/releases/v0.0.1/download/release.yml

Container Images

Kapp-controller and Kapp-controller-package-bundle images are available in Github Container Registry.

OCI Image URLs

  • ghcr.io/rcmadhankumar/kapp-controller@sha256:e8004f14f25cb2cc4687f1c342837f4f394a3d73d72d37ba278d8737fa90d6d7
  • ghcr.io/rcmadhankumar/kapp-controller-package-bundle@sha256:b6e022201a8f73fa9ea47cd6fa58727bd574d6a88a5532918129fc04d9428995

Verify container image signature

The container images are signed using Cosign with GitHub OIDC. To validate the signature of OCI images, run the following commands:

# Verifying kapp-controller image
cosign verify ghcr.io/rcmadhankumar/kapp-controller@sha256:e8004f14f25cb2cc4687f1c342837f4f394a3d73d72d37ba278d8737fa90d6d7 --certificate-identity-regexp=https://github.com/rcmadhankumar --certificate-oidc-issuer=https://token.actions.githubusercontent.com -o text

# Verifying kapp-controller-package-bundle image
cosign verify ghcr.io/rcmadhankumar/kapp-controller-package-bundle@sha256:b6e022201a8f73fa9ea47cd6fa58727bd574d6a88a5532918129fc04d9428995 --certificate-identity-regexp=https://github.com/rcmadhankumar --certificate-oidc-issuer=https://token.actions.githubusercontent.com -o text

📂 Files Checksum

5a0ed07054c8428f6609503fdbd55247b0d4ad7e7144ed859b2497380016fc8c  ./release.yml
b6556f6c17091d8211a7bab50c3e82c8295caf6df8319c64ded21d80c3bc8e15  ./kctrl-darwin-amd64
ae848f7a977058499e55b1e14a9e896cea768273db3b61f0d0113e89b0b9ee83  ./kctrl-darwin-arm64
6a1873ca050f35bc9476daca193e193810b3d795cd342bae21606840c63a5e21  ./kctrl-linux-amd64
533e03e512107364eadf5aa34e2e07fc4b9447ae30f89796a947183b5aaa2a1b  ./kctrl-linux-arm64
4abc9e17b1c9da9e312f6ea7494a2b497598302251b3d777ae79a2e79ba6c582  ./kctrl-windows-amd64.exe
ae6f53a2e07c66c42752041f2fd15e74038b3bbc654464061356d83a1e01629c  ./package.yml
7a6aa35600459a1797a6f0564ae89954e6da035fe54e19b72c573f5b31938a8c  ./package-metadata.yml

Full Changelog: https://github.com/rcmadhankumar/kapp-controller/commits/v0.0.1

Review Checklist:
  • Follows the developer guidelines
  • Relevant tests are added or updated
  • Relevant docs in this repo added or updated
  • Relevant carvel.dev docs added or updated in a separate PR and there's
    a link to that PR
  • Code is at least as readable and maintainable as it was before this
    change

Additional documentation e.g., Proposal, usage docs, etc.:

Proposal: https://github.com/carvel-dev/carvel/tree/develop/proposals/carvel/002-artifact-signatures

@rcmadhankumar rcmadhankumar force-pushed the add-signature branch 2 times, most recently from 94fe6fc to 6264848 Compare December 11, 2023 15:56
@rcmadhankumar rcmadhankumar linked an issue Dec 11, 2023 that may be closed by this pull request
.github/workflows/release-process.yml Show resolved Hide resolved
config-release/values-schema.yml Outdated Show resolved Hide resolved
package-build.yml Outdated Show resolved Hide resolved
@rcmadhankumar rcmadhankumar force-pushed the add-signature branch 4 times, most recently from f4a0238 to 0530798 Compare January 18, 2024 12:26
Copy link
Member

@praveenrewar praveenrewar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good. Suggested a small change, we can do it later in a separate PR as well.

Comment on lines +14 to +15
contents: write
packages: write
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need these permissions?

Comment on lines 294 to 297
RELEASE_NOTES_UPLOADED=$(gh release view $RELEASE_TAG --json body | jq -r '.body')
RELEASE_NOTES+=$RELEASE_NOTES_UPLOADED
echo "$RELEASE_NOTES" > release_notes.txt
gh release edit $RELEASE_TAG --notes-file release_notes.txt
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently we generate a file checksums-formatted.txt in the ``Add to formatted checksum` step, and then use this as the body while creating the draft release. Maybe we should have one common file to aggregate everything and then create a draft release? (We won't have to update the release notes then.)

@rcmadhankumar
Copy link
Contributor Author

created a new PR and it is merged: #1463

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Sign kctrl binaries while releasing them Sign kapp-controller container images while publishing them
2 participants