sign Syft binary/container image via cosign

[developer-guy]

What would you like to be added:

A tool called cosign¹ created and maintained by the sigstore ² community allows you to sign and verify container images. IINM Syft takes its releases via GoReleaser, luckily cosign is now integrated into GoReleaser.³. Btw, there is a similar topic ongoing for the ossf/scorecard project too.⁴

Why is this needed:

Additional context:

cc: @luhring @wagoodman

Footnotes

1. https://github.com/sigstore/cosign ↩

2. https://sigstore.dev/ ↩

3. https://carlosbecker.com/posts/goreleaser-cosign/ ↩

4. https://github.com/ossf/scorecard/issues/309 ↩

[luhring]

I love this! We'd love to start using sigstore to help with our own releases 🤩

[luhring]

Some questions...

1. How would we establish the identity of publisher of Syft releases (e.g. Anchore for now)? Providing a cosign.pub somewhere (akin to publishing a GPG key)? Create a service account that can authenticate with the keyless OIDC flow? Something else?

2. Should we sign just the container image? (I realize this is the title of this issue...) Should we open a related issue to sign our binaries themselves? (perhaps w/ cosign sign-blob ...)

3. What's the status of TUF-oriented cosign workflows? Should we start thinking about TUF as we provide updates for Syft?

4. Does the GoReleaser integration give us any kind of provenance attestations? Are attestations in scope for this issue at all, or should we focus just on signing for now?

[developer-guy]

Hello @luhring, there are several ways of proving the publisher's identity of the binary or container image via cosign. The first one is a traditional way of generating public/private key pairs, and sign binary or container image via private key, and verifying it against the public key. So, in this way, you have to store your private key in somewhere that you consider secure, such as GitHub Secrets. You can keep your public key within your repository because someone who might want to verify your binaries or container images should use this public key. Another approach is the keyless mode which you can use OIDC flow but tbh I do not have enough knowledge about it but this repository might help with this. AFAIK GoReleaser does not support providing attestations at the time I'm writing this but IMHO continuing step by step would be nice in the first place, so we should focus on signing binary or container images first, then maybe we can talk about generating attestations and signing them through cosign.

I don't know about the other stuff yet but @dlorenc maybe might want to help us related to the first and third questions, thanks in advance.

[kzantow]

Since syft attest has been implemented, is there anything more to do here?

[luhring]

@kzantow If I'm reading this issue right, it's not about Syft generating SBOM attestations, but rather about signing releases of Syft itself (in various form factors, e.g. the Syft binary having a signature, container images of Syft having signatures, etc.)

[kzantow]

@luhring yeah -- I definitely misread the description 🤦