-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC-0003] Verify OCI artifacts with cosign static keys #863
Comments
When |
For e2e testing I have prepared two OCI repos, one signed using a static key and the other signed using GitHub. Static key$ cosign verify --key https://raw.githubusercontent.com/stefanprodan/podinfo/master/.cosign/cosign.pub ghcr.io/stefanprodan/podinfo-deploy:6.2.0
Verification for ghcr.io/stefanprodan/podinfo-deploy:6.2.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"ghcr.io/stefanprodan/podinfo-deploy"},"image":{"docker-manifest-digest":"sha256:df41ceaea12823eb049ce7e4b80915bb59b8503b9a197accc93ae81b42b5962b"},"type":"cosign container image signature"},"optional":null}] Keyless GitHub$ cosign verify ghcr.io/stefanprodan/manifests/podinfo:6.2.0
Verification for ghcr.io/stefanprodan/manifests/podinfo:6.2.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":"ghcr.io/stefanprodan/manifests/podinfo"},"image":{"docker-manifest-digest":"sha256:7a6ac2e83eed5e1af26fb296bf8aba75dd2a6aeaf5a8e059bfb547ee40171214"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEYCIQDT898c/RchieIr06MwS7bPlO/JOdF8imN5S/dWIpQX4AIhAM1UhJG26UG59eHTvI8JfY7RDujBRZQRscEmSCB3fuCm","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjZWQwY2JjNjhmZmQ3OTZlYjAwNmU4MmUxZTliYzdjNzkyOTU4ZGE4OWI1YmJjY2I2ZDE0ODg3M2E2ZTExN2EyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJR2RVajNtMnlmUHhPU0p1bzI2THR0dWlvd0VjMXY3R2VUYXdqNjNQcUJxZkFpQXlRaEZXN3hiZDlZUGg1OFIzMDhzbTlmY3dBNE8vRjV6Vk5DZUtzYUJvemc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnNla05EUVhneVowRjNTVUpCWjBsVldYaFlWRmRsVDNObVEwWTVSVFJ5Y0hWbWFHRjFZa1V4VGs1M2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDlFUlRGTlZFa3hUWHBGZUZkb1kwNU5ha2wzVDBSRk1VMVVUWGROZWtWNFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZhV21oQ2RtaERZazlXY1hkNk5FMW1OVFJ3TjBwUVdqQTJjSEZoVUVsVVl6RTRZMGtLU1dkMU1YZExhbmQxT0VoMmJWVnlTbVpqU0VweVZFeE5hMUl2ZVU5UlJuQk1TVWh4TUZBdlJtWkRUa2hUVjBodE1qWlBRMEZxZDNkblowazBUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlYxWW5aRUNuZGhOMGRGWkRWTU5VNXVNRXRpVVZaTVZGWm1UbWh2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFsM1dVUldVakJTUVZGSUwwSkdhM2RXTkZwV1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROT01GcFhXbWhpYmtKNVlqSlNhQXBpYVRsM1lqSlNjR0p0V25aTWVUVnVZVmhTYjJSWFNYWmtNamw1WVRKYWMySXpaSHBNTTBwc1lrZFdhR015VlhWbFZ6RnpVVWhLYkZwdVRYWmtSMFp1Q21ONU9ESk1ha2wxVFVSQk5VSm5iM0pDWjBWRlFWbFBMMDFCUlVKQ1EzUnZaRWhTZDJONmIzWk1NMUoyWVRKV2RVeHRSbXBrUjJ4MlltNU5kVm95YkRBS1lVaFdhV1JZVG14amJVNTJZbTVTYkdKdVVYVlpNamwwVFVKSlIwTnBjMGRCVVZGQ1p6YzRkMEZSU1VWQ1NFSXhZekpuZDA1bldVdExkMWxDUWtGSFJBcDJla0ZDUVhkUmIwNTZiRzFQUkVWNlQwUk5lVTlFYUdsYWFsa3hUa1JLYlZreVNURlpiVkpyVDBSRk1FNUhTVFJOYWxwcFRYcE9hVTE2V214T2VrRldDa0puYjNKQ1owVkZRVmxQTDAxQlJVVkNRV1I1V2xkNGJGbFlUbXhOUTBsSFEybHpSMEZSVVVKbk56aDNRVkZWUlVaSVRqQmFWMXBvWW01Q2VXSXlVbWdLWW1rNWQySXlVbkJpYlZwMlRVSXdSME5wYzBkQlVWRkNaemM0ZDBGUldVVkVNMHBzV201TmRtUkhSbTVqZVRneVRHcEpkVTFFUTBKcFoxbExTM2RaUWdwQ1FVaFhaVkZKUlVGblVqaENTRzlCWlVGQ01rRkJhR2RyZGtGdlZYWTViMUprU0ZKaGVXVkZia1ZXYmtkTGQxZFFZMDAwTUcwemJYWkRTVWRPYlRsNUNrRkJRVUpuY1VkUmRHODBRVUZCVVVSQlJXTjNVbEZKYUVGS2VrMW1SQ3REUzBOb1lsQm9SRWR6VkhSUFIwZElTMmRDTURaUk1GcGlkbGxtZUZBek5rUUtOVlYzTVVGcFFrdE5NVGQzTmpkblpIVklhRmx3WmxGTk0yRTNWbVI0TlhoS2VtSjBLMFowUkVwelRUSXJRWGxYTm1wQlMwSm5aM0ZvYTJwUFVGRlJSQXBCZDA1dlFVUkNiRUZxUVdvMFEyYzBSVWdyZG1sT04wUm5Na2h5ZDJGdFJtZFFjVWRTUzNjMlZHRjZjR3N2VHl0WVVFeERVSGxoYmpreGJGWk9ORFp0Q2xncllTOHpkbFZPV2s1dlEwMVJSQ3RRWW5wbGJHMVpVMFZTVG5vNGJUZENlWEZ6UlhKRk5FbHdWbFZ5UlhNeGVGZHdSRGt5TW5oWWVuTjVVbmxoWVRZS1FrRkNhbEIwTVdjd2JUUlNiV0pKUFFvdExTMHRMVVZPUkNCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2c9PSJ9fX19","integratedTime":1660567993,"logIndex":3184671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com","Subject":"https://github.com/stefanprodan/podinfo/.github/workflows/release.yml@refs/tags/6.2.0"}}] |
Hi @stefanprodan, if this issue is not assigned yet, I can work on it. Thanks! |
we (w/@Dentrax) are also willing to work on this, thanks 🫶 |
@rashedkvm @developer-guy I assigned both of you. |
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Fixes fluxcd#863 Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Implement cosign verification as specified in RFC-0003 Flux OCI support for Kubernetes manifests:
The RFC mentions only cosgin static keys, where the given secret contains one or more public keys. Besides static keys, cosgin supports keyless signing using OIDC such as GitHub and Google. We need to decide how to enable keyless verification, but for now we should implement the RFC spec.
The text was updated successfully, but these errors were encountered: