Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement signing #25

Closed
Vincinator opened this issue Jul 18, 2024 · 6 comments · Fixed by gardenlinux/gl-oci#24
Closed

Implement signing #25

Vincinator opened this issue Jul 18, 2024 · 6 comments · Fixed by gardenlinux/gl-oci#24
Assignees
@Vincinator

Comments

@Vincinator
Copy link
Contributor

Vincinator commented Jul 18, 2024
edited
Loading

Requirements

Thanks @nkraetzschmar

Integration into Pipelines

  • Use KMS signing
  • For development and local testing add oci-sign.crt creation in Makefile of gardenlinux/gardenlinux cert/ folder
@Vincinator Vincinator mentioned this issue Sep 10, 2024
Open
2 tasks
@Vincinator Vincinator self-assigned this Aug 6, 2024
@Vincinator
Copy link
Contributor Author

Checked Annotation Rules. I see no issue with using annotations for storing signed object* and signature.

*signed object: the string that contains target digest + metadata

@Vincinator
Copy link
Contributor Author

I could not find consensus in the oci-spec repository on signing, could not find a clear favourite that will emerge in the next time.

We may consider also using https://github.com/notaryproject/notary, but for now we do not plan to use this.

@Vincinator
Copy link
Contributor Author

TODO: need to input version as this should be part also of string that should be signed

@Vincinator Vincinator mentioned this issue Aug 8, 2024
Merged
@Vincinator
Copy link
Contributor Author

Vincinator commented Aug 8, 2024
edited
Loading

TODO: we also need to add verification of signatures before we edit add a manifest. For example, if we attach a layer, we need to make sure that the old signature of the manifest entry was valid. Otherwise, we would make something that was invalid before valid without directly checking it.

e.g.:

  • we have a manifest A with an invalid signature in the oci-index
  • we attach a layer with test results for example
  • attaching a layer changes the manifest and its digest, so the signature of the manifest in the oci-index must be re-calculated.
  • if we did not verify signature of that manifest entry, we would make a modified manifest with invalid signature valid and allow any other compromised layer to be signed by us

EDIT: done ✅

@Vincinator
Copy link
Contributor Author

Vincinator commented Aug 8, 2024
edited
Loading

TODO: we also need to add verification of digests. The signed-data contains a digest, which is a sha256 hash of the respective blob (if layer) or json (if manifest).

If the blob or manifest is modified, the digests also changes in the registry. gl-oci should also verify digest where possible, but in theory it should not be required, because the oct-registry would not allow to host mismatching digests, with the potential implementation dependent exception of entries in the oci-index.

Therefore we just make sure to verify digests wherever we use the digest.

EDIT: done ✅

@Vincinator
Copy link
Contributor Author

TODO: verification of signatures fails

@Vincinator Vincinator transferred this issue from gardenlinux/gl-oci Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Vincinator Vincinator

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

implement signing gardenlinux/gl-oci
1 participant
@Vincinator