Skip to content

Enable SIgned Releases #553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #536
VedRatan opened this issue Feb 27, 2024 · 6 comments · Fixed by nephio-project/test-infra#266
Closed
Tracked by #536

Enable SIgned Releases #553

VedRatan opened this issue Feb 27, 2024 · 6 comments · Fixed by nephio-project/test-infra#266
Assignees
@radoslawc
Labels
area/security area/test-infra SIG Release Test Infra
Milestone
R3

Comments

@VedRatan
Copy link
Contributor

https://clomonitor.io/docs/topics/checks/#signed-releases-from-openssf-scorecard

See: #536
@VedRatan VedRatan mentioned this issue Feb 27, 2024
Open
9 tasks
@VedRatan
Copy link
Contributor Author

VedRatan commented Mar 4, 2024

@liamfallon @johnbelamaric we can enable signed releases by following the steps mentioned over here

@nyrahul
Copy link
Contributor

nyrahul commented Mar 14, 2024

Hey @VedRatan, it would be better to sign the container images using cosign so that we do not depend on Github specific signing/logs infrastructure. Cosign and corresponding transparency logs are maintained by Sigstore and this is backed by Open SSF.

I would bring this up in the Rx Scope discussion meeting tomorrow.

@gvbalaji gvbalaji added area/test-infra SIG Release Test Infra area/security labels Apr 3, 2024
@gvbalaji gvbalaji moved this to Todo in Nephio Project Apr 3, 2024
@gvbalaji gvbalaji added this to the R3 milestone Apr 3, 2024
@radoslawc radoslawc self-assigned this Apr 16, 2024
@radoslawc radoslawc moved this from Todo to In Progress in Nephio Project Apr 16, 2024
@nyrahul
Copy link
Contributor

nyrahul commented May 7, 2024

We hd this discussed in the Nephio Developer Summit.
The aim is to leverage cosign for image signign .. The flow is as follows.
SIG-Security_ Nephio Dev Summit

@radoslawc
Copy link
Contributor

Hi! @nyrahul and @VedRatan we're signing released images since first release using cosign just not using ephemeral keys but a fixed key. Signature is uploaded as artifact to docker hub, for example:
here's vlan-fn image for release v2.0.0:
https://hub.docker.com/repository/docker/nephio/vlan-fn/tags?page=&page_size=&ordering=&name=v2.0.0
and corresponding signature, sbom and security scan results are uploaded as artifacts
https://hub.docker.com/repository/docker/nephio/vlan-fn/tags?page=&page_size=&ordering=&name=22e6b
with name being image sha and extensions respectively *.sig, *.sbom and *_scan.txt
Public key is on wiki: https://wiki.nephio.org/display/HOME/Code+signing
This process is for now manual and for sure can be improved so I believe we should join our forces to work on that.

@radoslawc radoslawc mentioned this issue May 7, 2024
Closed
@anurag-rajawat anurag-rajawat moved this to 🏗 In progress in SIG-SECURITY May 15, 2024
@anurag-rajawat
Copy link

Hi @radoslawc I would like to work on this.

@anurag-rajawat anurag-rajawat moved this from 🏗 In progress to 📋 Backlog in SIG-SECURITY May 20, 2024
@anurag-rajawat
Copy link

anurag-rajawat commented May 21, 2024
edited
Loading

Hey @radoslawc,
Based on my understanding, to automate the image signing using cosign as part of release pipeline, we'd need to:

  • Update release.sh and Dockerfile to incorporate cosign for signing the images.
  • Add a separate cosign container (built in previous step) in the postsubmit jobs in prow configs, something like:
postsubmits:
  nephio-project/free5gc:
   - name: build-push-image-free5gc-operator-release-conf
     ...
     ...
      containers:
      ...
      - name: cosign
        image: ttl.sh/cosign:24h
        args:
          - nephio/free5gc-operator:${PULL_BASE_REF}
        env:
          - name: COSIGN_PRIVATE_KEY
            valueFrom:
              secretKeyRef:
                name: cosign-private-key
                key: COSIGN_PRIVATE_KEY
          - name: COSIGN_PASSWORD
            valueFrom:
              secretKeyRef:
                name: cosign-private-key-passwd
                key: COSIGN_PASSWORD
...

Is my understanding correct?

@anurag-rajawat anurag-rajawat moved this from 📋 Backlog to 🏗 In progress in SIG-SECURITY May 22, 2024
@anurag-rajawat anurag-rajawat moved this from 🏗 In progress to 📋 Backlog in SIG-SECURITY May 27, 2024
@nandhued nandhued moved this from 📋 Backlog to 🏗 In progress in SIG-SECURITY May 29, 2024
@anurag-rajawat anurag-rajawat mentioned this issue May 29, 2024
Merged
@nandhued nandhued moved this from 🏗 In progress to 👀 In review in SIG-SECURITY May 30, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in Nephio Project Jun 14, 2024
@github-project-automation github-project-automation bot moved this from 👀 In review to ✅ Done in SIG-SECURITY Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@radoslawc radoslawc

Labels
area/security area/test-infra SIG Release Test Infra
Projects
Nephio Project
Archived in project
Milestone
R3
Development

Successfully merging a pull request may close this issue.

feat: Automate released image signing anurag-rajawat/test-infra
5 participants
@radoslawc @gvbalaji @nyrahul @VedRatan @anurag-rajawat