Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cosign: Add a public key for testing #2226

Merged
merged 1 commit into from
Aug 25, 2021
Merged

cosign: Add a public key for testing #2226

merged 1 commit into from
Aug 25, 2021

Conversation

justaugustus
Copy link
Member

@justaugustus justaugustus commented Aug 25, 2021
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

(Part of #2227)

cosign: Add a public key for testing

Preliminary steps to sign/verify artifacts via cosign.
The process or needs will evolve over time, so we've opted to generate
a "test" key to start.

Signed-off-by: Stephen Augustus foo@auggie.dev

ref: kubernetes/k8s.io#2614
cc: @kubernetes/sig-release-admins

Which issue(s) this PR fixes:

Special notes for your reviewer:

/hold will add in details about key generation when I'm back at the laptop

Steps (adapted from https://github.com/sigstore/cosign#installation and https://github.com/sigstore/cosign/blob/main/KMS.md):

  1. Get cosign:

    go install github.com/sigstore/cosign/cmd/cosign@v1.0.0

  2. Check which account you're operating over:

    gcloud config configurations list
NAME         IS_ACTIVE  ACCOUNT                    PROJECT             COMPUTE_DEFAULT_ZONE  COMPUTE_DEFAULT_REGION
...
releng-prod  True       k8s@auggie.dev             k8s-releng-prod

  3. Generate GOOGLE_APPLICATION_CREDENTIALS:

    gcloud auth application-default login

export GOOGLE_APPLICATION_CREDENTIALS="/Users/augustus/.config/gcloud/application_default_credentials.json"

  4. Generate a signing key on GCP KMS

    I did this via the console using these instructions.

    Here are the specs on the key:

    • type: generated key
    • name: cosign-test-0
    • protection level: HSM
    • purpose: asymmetric sign
    • key type and algorithm: elliptic curve P-256 / SHA256 digest

  5. Generate cosign.pub:

    (Special step)
    Make sure you actually have permissions to sign/verify on GCP KMS: infra/gcp: Grant Release Manager Admins roles/cloudkms.signerVerifier k8s.io#2614

    ~/go/bin/cosign -d generate-key-pair -kms gcpkms://projects/k8s-releng-prod/locations/global/keyRings/release/cryptoKeys/cosign-test-0
2021/08/25 15:38:40 Key ring projects/k8s-releng-prod/locations/global/keyRings/release already exists in GCP KMS, moving on to creating key.
Public key written to cosign.pub

  6. Check the key:

    cat cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwbFSNTX481zrRduH3nu8HQ6hHhSW
KEPjaz/SlBr+SojMXgYJsSueIRqfLiCJgNcdqEe1gXk70WZRHtAHfVzTNw==
-----END PUBLIC KEY-----

Does this PR introduce a user-facing change?

- cosign: Add a public key for testing
  Preliminary steps to sign/verify artifacts via `cosign`.
  The process or needs will evolve over time, so we've opted to generate
  a "test" key to start.

@justaugustus
cosign: Add a public key for testing
1d166f2 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Aug 25, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justaugustus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Aug 25, 2021
@puerco
Copy link
Member

puerco commented Aug 25, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Aug 25, 2021
@justaugustus justaugustus changed the title [WIP] cosign: Add a public key for testing cosign: Add a public key for testing Aug 25, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 25, 2021
@justaugustus
Copy link
Member Author

/hold cancel
FYI @kubernetes/release-engineering @dlorenc @lukehinds

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 25, 2021
@k8s-ci-robot k8s-ci-robot merged commit 9856e2a into kubernetes:master Aug 25, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Aug 25, 2021
@justaugustus justaugustus mentioned this pull request Aug 25, 2021
Closed
2 tasks
@cpanato
Copy link
Member

cpanato commented Aug 26, 2021

thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@palnabarun palnabarun Awaiting requested review from palnabarun

@saschagrunert saschagrunert Awaiting requested review from saschagrunert

Assignees

@puerco puerco

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.
4 participants
@justaugustus @k8s-ci-robot @puerco @cpanato