-
Notifications
You must be signed in to change notification settings - Fork 495
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature - Sign scorecard container with cosign #309
Comments
Now that https://github.com/sigstore/cosign 1.0 we could use it for signing. Thoughts @inferno-chromium @azeemshaikh38 |
On a high-level the idea sounds good to me. I don't understand |
@naveensrinivasan assigning this to you as per yesterday's discussion. Lets come up with a one-pager proposal here to submit in the TAC meeting |
I have the following recommendations:
|
Thank you @developer-guy! We are tracking this part of this larger issue #1051 We want to come up with a plan of it being SLSA compliant.
|
Would OIDC be an option? This way we don't need a special workflow to generate keys and store them in GH secrets, and we also get built-in key rotation. |
@asraa FYI |
Yes, that would be a great option for signing containers. Signing blob(scorecard binary) is easy. But verifying is jumping through lots of hoops. I am trying that the tooling isn’t there yet. Also we need to understand if it suffices the SLDA requirements. |
hello @azeemshaikh38 @naveensrinivasan, here is the keyless image signing example with GoReleaser recently created as a sample project1, thanks to @caarlos0, of course, you can find an example of signing checksum also, here is the related tweet2 Sample 1: Signing Container Images docker_signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
artifacts: images
args:
- 'sign'
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '${artifact}' Sample 2: Signing checksums.txt file docker_signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
artifacts: images
args:
- 'sign'
- '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
- '${artifact}' Footnotes |
Cross-linking a few things from Kubernetes tracking:
|
kindly ping @naveensrinivasan, what needs to be done? 🙏 |
We could also wait for the slsa-generator to have support for container (laster this month), and use that with GoReleaser. /cc @ianlewis |
Is this something that still needs to be discussed? |
Is your feature request related to a problem? Please describe.
Sign scorecard containers with cosign
The text was updated successfully, but these errors were encountered: