Skip to content

Remove EXPERIMENTAL flag for keyless signing #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ and this project uses the version of main tool as main version number .

## [Unreleased]

- Cosign version 2.0
- BREAKING when doing KEYLESS signing:
- You need to acknowledge using a PUBLIC Rekor and Fulcio server when doing keyless signing. Set `public_transparancy_log` to `true`. Default is `false`.

## v5.1.0
- Remove experimental flag for keyless signing
- Rename arguments to reflect multiple container registries.

## v5.0.0
Expand Down
14 changes: 7 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ Examples: Using explicit variables

**Optional** Set to `true` when you want to use keyless signing with [SigStore's Rekor and Fulcio](https://blog.sigstore.dev/sigstore-ga-ddd6ba67894d).
**Warning** This is a **PUBLIC** transparancy log, this means you will reveal information about your OCI images publically. **DO NOT USE THIS FOR PRIVATE IMAGES**.
In order to make sure you understand a **PUBLIC** transparancy log is used, you need to set the `public_transparancy_log` argument to `true`.

You can use `KEYLESS` to start using SigStore's Rekor and Fulcio together with GitHub OIDC. When set, you don't need to specify the three COSIGN Arguments.

Expand Down Expand Up @@ -235,7 +236,7 @@ Store the content of `cosign.pub`, `cosign.key` and the password in GitHub Secre
Now you can verify the image f.e. `jeroenknoops/test-image:latest`:

```bash
$ cosign verify --key cosign.pub jeroenknoops/test-image:latest
$ cosign verify --insecure-ignore-tlog --key cosign.pub jeroenknoops/test-image:latest
```

You will get a result when the image is valid.
Expand Down Expand Up @@ -276,8 +277,7 @@ Now you can verify the image f.e. `jeroenknoops/test-image:latest`:
Keyless siging is still an expermental feature of cosign, so you need to set the flag.

```bash
$ export COSIGN_EXPERIMENTAL=1
$ cosign verify --key cosign.pub jeroenknoops/test-image:latest
$ cosign verify --insecure-ignore-tlog --key cosign.pub jeroenknoops/test-image:latest
```

You will get a result when the image is valid.
Expand Down Expand Up @@ -337,7 +337,7 @@ the COSIGN environment variables. (see #sign how to generate the key-pair)
Now you can verify the attestation for a certain docker-repo f.e. `jeroenknoops/test-image:latest`:

```bash
$ cosign verify-attestation --key cosign.pub jeroenknoops/test-image:latest | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType=="https://slsa.dev/provenance/v0.2" ) | .'
$ cosign verify-attestation --insecure-ignore-tlog --key cosign.pub jeroenknoops/test-image:latest | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType=="https://slsa.dev/provenance/v0.2" ) | .'
```

This is nice, because you can see how and when the image was build, without downloading it!
Expand Down Expand Up @@ -393,7 +393,7 @@ the COSIGN environment variables. (see #sign how to generate the key-pair)
Now you can verify the attestation for a certain docker-repo f.e. `jeroenknoops/test-image:latest`:

```bash
$ cosign verify-attestation --key cosign.pub jeroenknoops/test-image:latest | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType=="https://spdx.dev/Document" ) | .predicate.Data | fromjson | .'
$ cosign verify-attestation --insecure-ignore-tlog --key cosign.pub jeroenknoops/test-image:latest | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType=="https://spdx.dev/Document" ) | .predicate.Data | fromjson | .'
```

#### With SLSA-Provenance and Software Bill of Material (SBOM) attached to Image:
Expand Down Expand Up @@ -425,8 +425,8 @@ the COSIGN environment variables. (see #sign how to generate the key-pair)
Now you can verify the attestation for a certain docker-repo f.e. `jeroenknoops/test-image:latest`:

```bash
$ cosign verify-attestation --key cosign.pub jeroenknoops/test-image:latest | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType=="https://spdx.dev/Document" ) | .predicate.Data | fromjson | .'
$ cosign verify-attestation --key cosign.pub jeroenknoops/test-image:latest | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType=="https://slsa.dev/provenance/v0.2" ) | .'
$ cosign verify-attestation --insecure-ignore-tlog --key cosign.pub jeroenknoops/test-image:latest | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType=="https://spdx.dev/Document" ) | .predicate.Data | fromjson | .'
$ cosign verify-attestation --insecure-ignore-tlog --key cosign.pub jeroenknoops/test-image:latest | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType=="https://slsa.dev/provenance/v0.2" ) | .'
```

This is nice, because you can see the SBOM of the image, without downloading it!
Expand Down
5 changes: 5 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ inputs:
sign:
description: 'Sign image with Cosign. Requires COSIGN environment variables to be set. When used in combination with slsa-provenance / sbom it will also attach the results to the image.'
required: false
public_transparancy_log:
description: 'Use PUBLIC Fulcio and Rekor services to store information'
required: true
default: false
github_context:
description: 'internal (do not set): the "github" context object in json'
required: true
Expand Down Expand Up @@ -65,6 +69,7 @@ runs:
SLSA_PROVENANCE: ${{ inputs.slsa-provenance }}
SBOM: ${{ inputs.sbom }}
SIGN: ${{ inputs.sign }}
PUBLIC_TRANSPARANCY_LOG: ${{ inputs.public_transparancy_log }}
PUSH_ON_GIT_TAG: ${{ inputs.push-on-git-tag }}
GITHUB_CONTEXT: ${{ inputs.github_context }}
RUNNER_CONTEXT: ${{ inputs.runner_context }}
20 changes: 10 additions & 10 deletions bin/install_cosign.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash

COSIGN_RELEASE=v1.13.1
COSIGN_RELEASE=v2.0.0
INSTALL_DIR=$HOME/.cosign

RUNNER_OS=$(uname)
Expand Down Expand Up @@ -37,13 +37,13 @@ shaprog() {
esac
}

bootstrap_version='v1.13.1'
bootstrap_linux_amd64_sha='a50651a67b42714d6f1a66eb6773bf214dacae321f04323c0885f6a433051f95'
bootstrap_linux_arm_sha='edc24d49459a73f54e78868a3540e1e54452ad2328c66e1eba8bcd78fcd349fc'
bootstrap_linux_arm64_sha='a7a79a52c7747e2c21554cad4600e6c7130c0429017dd258f9c558d957fa9090'
bootstrap_darwin_amd64_sha='1d164b8b1fcfef1e1870d809edbb9862afd5995cab63687a440b84cca5680ecf'
bootstrap_darwin_arm64_sha='02bef878916be048fd7dcf742105639f53706a59b5b03f4e4eaccc01d05bc7ab'
bootstrap_windows_amd64_sha='78a2774b68b995cc698944f6c235b1c93dcb6d57593a58a565ee7a56d64e4b85'
bootstrap_version='v2.0.0'
bootstrap_linux_amd64_sha='169a53594c437d53ffc401b911b7e70d453f5a2c1f96eb2a736f34f6356c4f2b'
bootstrap_linux_arm_sha='189d56c9946decdaa272e1dccb47ae64009ea39ac0274cfea00507b9acb877c9'
bootstrap_linux_arm64_sha='8132cb2fb99a4c60ba8e03b079e12462c27073028a5d08c07ecda67284e0c88d'
bootstrap_darwin_amd64_sha='d2c8fc0edb42a1e9745da1c43a2928cee044f3b8a1b8df64088a384c7e6f5b5d'
bootstrap_darwin_arm64_sha='9d7821e1c05da4b07513729cb00d1070c9a95332c66d90fa593ed77d8c72ca2a'
bootstrap_windows_amd64_sha='e78e7464dc0eda1d6ec063ac2738f4d1418b19dd19f999aa37e1679d5d3af82e'
cosign_executable_name=cosign

trap "popd >/dev/null" EXIT
Expand Down Expand Up @@ -157,7 +157,7 @@ if [[ ${COSIGN_RELEASE} == ${bootstrap_version} ]]; then
log_info "bootstrap version successfully verified and matches requested version so nothing else to do"
exit 0
fi
semver='^v([0-9]+\.){0,2}(\*|[0-9]+)$'
semver='^v([0-9]+\.){0,2}(\*|[0-9]+)(-?r?c?)(\.[0-9]+)$'
if [[ ${COSIGN_RELEASE} =~ $semver ]]; then
log_info "Custom cosign version '${COSIGN_RELEASE}' requested"
else
Expand Down Expand Up @@ -197,7 +197,7 @@ if [[ $shaCustom != $shaBootstrap ]]; then
RELEASE_COSIGN_PUB_KEY=https://raw.githubusercontent.com/sigstore/cosign/${COSIGN_RELEASE}/release/release-cosign.pub
fi
log_info "Using bootstrap cosign to verify signature of desired cosign version"
./cosign verify-blob --key $RELEASE_COSIGN_PUB_KEY --signature ${desired_cosign_filename}.sig cosign_${COSIGN_RELEASE}
./cosign verify-blob --insecure-ignore-tlog --key $RELEASE_COSIGN_PUB_KEY --signature ${desired_cosign_filename}.sig cosign_${COSIGN_RELEASE}
rm cosign
mv cosign_${COSIGN_RELEASE} cosign
chmod +x cosign
Expand Down
22 changes: 13 additions & 9 deletions container_digest.sh
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,16 @@ then
if [ -n "${KEYLESS}" ]
then
echo 'Keyless signing'
if [ "${PUBLIC_TRANSPARANCY_LOG}" == false ]
then
echo "--------------------------- ERROR --------------------------------"
echo "You want to use keyless signing without a public transparancy log."
echo "We do not support local REKOR and FULCIO servers at this moment."
echo "--------------------------- ERROR --------------------------------"
exit 1
fi
COSIGN_KEY_ARGUMENT=""
COSIGN_PUB_ARGUMENT=""
export COSIGN_EXPERIMENTAL=1
else
echo 'Signing using COSIGN keys'
COSIGN_KEY=$(mktemp /tmp/cosign.XXXXXXXXXX) || exit 1
Expand All @@ -85,8 +92,8 @@ then
echo "${COSIGN_PRIVATE_KEY}" > "$COSIGN_KEY"
echo "${COSIGN_PUBLIC_KEY}" > "$COSIGN_PUB"

COSIGN_KEY_ARGUMENT="--key $COSIGN_KEY"
COSIGN_PUB_ARGUMENT="--key $COSIGN_PUB"
COSIGN_KEY_ARGUMENT="--insecure-ignore-tlog --key $COSIGN_KEY"
COSIGN_PUB_ARGUMENT="--insecure-ignore-tlog --key $COSIGN_PUB"
fi
echo "Sign image"

Expand All @@ -113,10 +120,9 @@ then
echo '```bash'
if [ -n "${KEYLESS}" ]
then
echo "export COSIGN_EXPERIMENTAL=1"
echo "cosign verify $registry_url_prefix/$imagename@${containerdigest}"
else
echo "cosign verify --key cosign.pub $registry_url_prefix/$imagename@${containerdigest}"
echo "cosign verify --insecure-ignore-tlog --key cosign.pub $registry_url_prefix/$imagename@${containerdigest}"
fi
echo '```'
if [ -n "${KEYLESS}" ]
Expand Down Expand Up @@ -177,11 +183,10 @@ then
echo '```bash'
if [ -n "${KEYLESS}" ]
then
echo "export COSIGN_EXPERIMENTAL=1"
echo "cosign verify-attestation --type slsaprovenance $registry_url_prefix/$imagename@${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType==\"https://slsa.dev/provenance/v0.2\" ) | .'"
# TODO: Add tlog
else
echo "cosign verify-attestation --key cosign.pub --type slsaprovenance $registry_url_prefix/$imagename@${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType==\"https://slsa.dev/provenance/v0.2\" ) | .'"
echo "cosign verify-attestation --insecure-ignore-tlog --key cosign.pub --type slsaprovenance $registry_url_prefix/$imagename@${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType==\"https://slsa.dev/provenance/v0.2\" ) | .'"
fi
echo '```'
if [ -n "${KEYLESS}" ]
Expand Down Expand Up @@ -234,11 +239,10 @@ then
echo '```bash'
if [ -n "${KEYLESS}" ]
then
echo "export COSIGN_EXPERIMENTAL=1"
echo "cosign verify-attestation --type spdx $registry_url_prefix/$imagename@${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType==\"https://spdx.dev/Document\" ) | .predicate.Data | fromjson | .'"
# TODO: Add tlog
else
echo "cosign verify-attestation --key cosign.pub --type spdx $registry_url_prefix/$imagename@${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType==\"https://spdx.dev/Document\" ) | .predicate.Data | fromjson | .'"
echo "cosign verify-attestation --insecure-ignore-tlog --key cosign.pub --type spdx $registry_url_prefix/$imagename@${containerdigest} | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType==\"https://spdx.dev/Document\" ) | .predicate.Data | fromjson | .'"
fi
echo '```'
if [ -n "${KEYLESS}" ]
Expand Down