Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify cosign signatures of distroless base images #2016

Merged
merged 3 commits into from
Apr 25, 2021
Merged

Verify cosign signatures of distroless base images #2016

merged 3 commits into from
Apr 25, 2021

Conversation

justaugustus
Copy link
Member

What type of PR is this?

/kind feature
/area dependency security

What this PR does / why we need it:

  • Verify cosign signatures of distroless base images
  • go-runner: Build v2.3.1-go1.16.3-buster.1 image
  • go-runner: Build v2.3.1-go1.15.11-buster.1 image

From @dekkagaijin in #2011:

This'll ensure that the distroless base images were built on trusted infrastructure

$ docker run -it gcr.io/projectsigstore/cosign/ci/cosign@sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064 -- verify -key https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub gcr.io/distroless/base:latest
Unable to find image 'gcr.io/projectsigstore/cosign/ci/cosign@sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064' locally
gcr.io/projectsigstore/cosign/ci/cosign@sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064: Pulling from projectsigstore/cosign/ci/cosign
5dea5ec2316d: Already exists
bb771d6dc9a1: Already exists
9127c3610b7e: Already exists
72164b581b02: Already exists
6fe218878cac: Pull complete
Digest: sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064
Status: Downloaded newer image for gcr.io/projectsigstore/cosign/ci/cosign@sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064

Verification for gcr.io/distroless/base:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null},{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null},{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null},{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null},{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null}]

Which issue(s) this PR fixes:

Special notes for your reviewer:

I did a git oops when pushing updates to @dekkagaijin's branch, which accidentally closed #2011.

Does this PR introduce a user-facing change?

- Verify cosign signatures of distroless base images
- go-runner: Build v2.3.1-go1.16.3-buster.1 image
- go-runner: Build v2.3.1-go1.15.11-buster.1 image

Jake Sanders and others added 2 commits April 24, 2021 20:48
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Apr 25, 2021
@k8s-ci-robot
Copy link
Contributor

@justaugustus: The label(s) area/security cannot be applied, because the repository doesn't have them.

In response to this:

What type of PR is this?

/kind feature
/area dependency security

What this PR does / why we need it:

  • Verify cosign signatures of distroless base images
  • go-runner: Build v2.3.1-go1.16.3-buster.1 image
  • go-runner: Build v2.3.1-go1.15.11-buster.1 image

From @dekkagaijin in #2011:

This'll ensure that the distroless base images were built on trusted infrastructure

$ docker run -it gcr.io/projectsigstore/cosign/ci/cosign@sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064 -- verify -key https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub gcr.io/distroless/base:latest
Unable to find image 'gcr.io/projectsigstore/cosign/ci/cosign@sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064' locally
gcr.io/projectsigstore/cosign/ci/cosign@sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064: Pulling from projectsigstore/cosign/ci/cosign
5dea5ec2316d: Already exists
bb771d6dc9a1: Already exists
9127c3610b7e: Already exists
72164b581b02: Already exists
6fe218878cac: Pull complete
Digest: sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064
Status: Downloaded newer image for gcr.io/projectsigstore/cosign/ci/cosign@sha256:c581a4f0f6dd158220fa05d2351d8015f969b68de5c61d52c41478fae84e7064

Verification for gcr.io/distroless/base:latest --
The following checks were performed on each of these signatures:
 - The cosign claims were validated
 - The signatures were verified against the specified public key
 - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null},{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null},{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null},{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null},{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:6ec6da1888b18dd971802c2a58a76a7702902b4c9c1be28f38e75e871cedc2df"},"type":"cosign container signature"},"optional":null}]

Which issue(s) this PR fixes:

Special notes for your reviewer:

I did a git oops when pushing updates to @dekkagaijin's branch, which accidentally closed #2011.

Does this PR introduce a user-facing change?

- Verify cosign signatures of distroless base images
- go-runner: Build v2.3.1-go1.16.3-buster.1 image
- go-runner: Build v2.3.1-go1.15.11-buster.1 image

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added area/dependency Issues or PRs related to dependency changes cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 25, 2021
@k8s-ci-robot k8s-ci-robot added sig/release Categorizes an issue or PR as relevant to SIG Release. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Apr 25, 2021
@justaugustus justaugustus mentioned this pull request Apr 25, 2021
Closed
@justaugustus
Copy link
Member Author

/assign @hasheddan @puerco
/cc @dekkagaijin @dlorenc
cc: @kubernetes/release-engineering
/area release-eng/security

@k8s-ci-robot k8s-ci-robot added the area/release-eng/security Issues or PRs related to release engineering security label Apr 25, 2021
@justaugustus
Copy link
Member Author

/test pull-release-image-go-runner

dekkagaijin
dekkagaijin approved these changes Apr 25, 2021
View reviewed changes
Copy link

@dekkagaijin dekkagaijin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 25, 2021
@justaugustus
go-runner: Trigger new image builds
4a438b5 
- go-runner:v2.3.1-go1.16.3-buster.1
- go-runner:v2.3.1-go1.15.11-buster.1

Signed-off-by: Stephen Augustus <[email protected]>
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dekkagaijin, justaugustus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 25, 2021
@justaugustus
Copy link
Member Author

(needs re-/lgtm; had to update the image revision numbers)

@dekkagaijin
Copy link

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 25, 2021
@justaugustus
Copy link
Member Author

/test pull-release-image-go-runner

@k8s-ci-robot k8s-ci-robot merged commit 2848c95 into kubernetes:master Apr 25, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Apr 25, 2021
@dekkagaijin
Copy link

Thanks, @justaugustus

🎉🦜🎉

@rjb4standards
Copy link

Does cosign verify that the signer of a container has been authorized by the original supplier of the container to sign on their behalf? How do you verify that the signer and original supplier form a trusted relationship?

@sopalsuemae
Copy link

Sopalsuemae นายซอปาลซือแม

@sopalsuemae
Copy link

1636060536679
Uploading 1636060435782.jpg…

@dekkagaijin
Copy link

@rjb4standards That's a complicated question, but in this specific case k8s is pinning the trusted public key that has been checked in to the distroless repo: https://github.com/GoogleContainerTools/distroless/blob/main/cosign.pub

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dekkagaijin dekkagaijin dekkagaijin approved these changes

@idealhack idealhack Awaiting requested review from idealhack

@puerco puerco Awaiting requested review from puerco

@dlorenc dlorenc Awaiting requested review from dlorenc

Assignees

@dekkagaijin dekkagaijin

@puerco puerco

@hasheddan hasheddan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/dependency Issues or PRs related to dependency changes area/release-eng/security Issues or PRs related to release engineering security area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@justaugustus @k8s-ci-robot @dekkagaijin @rjb4standards @sopalsuemae @puerco @hasheddan