Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support github artifact attestation #2393

Open
wparr-circle opened this issue Aug 8, 2024 · 3 comments
Open

Support github artifact attestation #2393

wparr-circle opened this issue Aug 8, 2024 · 3 comments
Labels
kind/feature A request for, or a PR adding, new functionality stale-issue

Comments

@wparr-circle
Copy link

Github recently launched https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/, which builds on sigstores https://github.com/sigstore/fulcio, https://github.com/sigstore/rekor and https://github.com/sigstore/timestamp-authority

For public repos - there isn't really any concern here, as artifact attestations wraps the public good sigstore instances of fulcio and rekor.
ie. the following sigstore config would work to configure signing.

fulcio:
  fulcioURL: "https://fulcio.sigstore.dev"
  oidcMode: "staticToken"
  oidcIDToken: "placeholder"
rekorURL: "https://rekor.sigstore.dev"

I'm more interested for supporting github artifact attestations to ensure that we can use the private path supported by github. Using their own fulcio instance, and timestamp authority for witnessing (note: private repos don't use rekor) which solves having to host your own instances for private repositories that we don't want to leak details about.
ie. the following instances:
https://fulcio.githubapp.com
https://timestamp.githubapp.com

which would need supported in a config such as:

fulcio:
  fulcioURL: "https://fulcio.githubapp.com"
  oidcMode: "staticToken"
  oidcIDToken: "placeholder"
timestampAuthorityURL: "https://timestamp.githubapp.com"

NOTE: timestampAuthorityURL is not a supported field today in containers-sigstore-signing-params.yaml.5 which means this is likely an issue to be created against https://github.com/containers/image as well.

@wparr-circle
Copy link
Author

Created containers/image#2509

@mtrmac
Copy link
Contributor

mtrmac commented Aug 8, 2024

Thanks for reaching out.

You’re right that timestamp authorities are not currently supported — and they should be, they fit the actual use case much better than Rekor. And that does need to happen in c/image.


Note that c/image etc. support sigstore signatures with a specific payload; I’m not immediately sure that a SBOM attestation is accepted. That might require more features to be added… we probably don’t want to add a generic rules engine over a SBOM to the low-level image policy feature set, but that’s a weak opinion and something that might change long-term.

@mtrmac mtrmac added the kind/feature A request for, or a PR adding, new functionality label Aug 8, 2024
@mtrmac mtrmac changed the title chore: support github artifact attestation Support github artifact attestation Aug 8, 2024
Copy link

github-actions bot commented Sep 8, 2024

A friendly reminder that this issue had no activity for 30 days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature A request for, or a PR adding, new functionality stale-issue
Projects
None yet
Development

No branches or pull requests

2 participants