Incorporate "keyless" verification of base images. #436
Conversation
Codecov Report
@@ Coverage Diff @@
## main #436 +/- ##
==========================================
- Coverage 53.46% 52.71% -0.75%
==========================================
Files 36 36
Lines 1835 1863 +28
==========================================
+ Hits 981 982 +1
- Misses 703 729 +26
- Partials 151 152 +1
Continue to review full report at Codecov.
|
mattmoor
force-pushed
the
just-verify
branch
from
fdd8787
to
464b388
Compare
|
I would like to take a chainsaw to the cosign dependency graph. |
mattmoor
force-pushed
the
just-verify
branch
from
464b388
to
a0be4cf
Compare
|
Ok cool, as expected with |
Do it! |
|
Should take into account whatever guidance comes out of sigstore/cosign#677 |
|
... and sigstore/cosign#666 which seems very popular 😅 |
|
Needs rebase. |
This change enables folks to start verifying their base images are signed against Fulcio by specifying `COSIGN_EXPERIMENTAL=true`, which will ensure each digest we intend to base an image on is verified. Unless `COSIGN_EXPERIMENTAL=true` is enabled, this change will have no effect. When `COSIGN_EXPERIMENTAL=true` is enabled, this change will verify base image digests, and emit a `WARNING:` when they are not signed (the `gcr.io/distroless` images are now signed!). When `COSIGN_EXPERIMENTAL=true` is enabled *AND* `--strict` is passed, then failure to verify a base image digest will fail the `ko` command. Related: ko-build#356
mattmoor
force-pushed
the
just-verify
branch
from
a0be4cf
to
b26a51d
Compare
Done |
| @@ -55,6 +58,7 @@ var ( | |||
| // getBaseImage returns a function that determines the base image for a given import path. | |||
| // If the `bo.BaseImage` parameter is non-empty, it overrides base image configuration from `.ko.yaml`. | |||
| func getBaseImage(platform string, bo *options.BuildOptions) build.GetBase { | |||
| v := &verifier{entries: make(map[name.Digest]*entry, 10)} | |||
There was a problem hiding this comment.
Seemed like a small enough number to be reasonable, yet avoid resizing. I don't particularly care.
There was a problem hiding this comment.
Same. I don't think there's any reason to care about the initial size of the map, so let's just YOLO-make it, or map[name.Digest]*entry{}.
| result error | ||
| } | ||
|
|
||
| func (v *verifier) verify(ctx context.Context, digest name.Digest) error { |
There was a problem hiding this comment.
I'd like to have a better idea how verification will look in the fullness of time. For now, it sounds like it's just "verify this image has any signature" -- does it also look it up in Rekor? Eventually folks might want to disable checking Rekor, or express other signature requirements.
Even just a sketch of how we envision that looking (in .ko.yaml?) would be helpful to me.
| v.m.Lock() | ||
| defer v.m.Unlock() | ||
| // See if there's already an entry for this digest. | ||
| if e, ok := v.entries[digest]; ok { |
There was a problem hiding this comment.
nit: You could hide v.entries initialization in here, instead of making it the responsibility of the verifier instantiator, above.
This change enables folks to start verifying their base images are signed against Fulcio by specifying
COSIGN_EXPERIMENTAL=true, which will ensure each digest we intend to base an image on is verified.Unless
COSIGN_EXPERIMENTAL=trueis enabled, this change will have no effect.When
COSIGN_EXPERIMENTAL=trueis enabled, this change will verify base image digests, and emit aWARNING:when they are not signed (thegcr.io/distrolessimages are now signed!).When
COSIGN_EXPERIMENTAL=trueis enabled AND--strictis passed, then failure to verify a base image digest will fail thekocommand.Related: #356
Related: #433