Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support using signing key from GitHub Encrypted Secret #905

Open
FeynmanZhou opened this issue Sep 20, 2023 · 6 comments
Open

Support using signing key from GitHub Encrypted Secret #905

FeynmanZhou opened this issue Sep 20, 2023 · 6 comments
Labels
enhancement New feature or request
Milestone

Comments

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Sep 20, 2023

Signing an image with Notation GitHub Actions relies on a vendor-specific plugin such as AWS Signer plugin for Notation, Azure Key Vault for Notation, HashiCorp Vault plugin.. This is a production solution for users to keep the private signing keys secure enough.

However, OSS project maintainers come from different vendors and might not be reluctant to use a vendor-specific plugin in their GHA workflow and release process.

In addition, when users get started with Notation GitHub Actions, they might have some limited access or are unavailable to use a KMS. Instead, they may want to load a private key from the GitHub Encrypted Secret for convenience.

There was a discussion and related feature request in the Slack channel.

Signing with a private key loaded from the GitHub secret could be helpful in this scenario. But we need to investigate whether the GitHub encrypted secret is secure enough to store private keys.

To make the Notation GHA signing experience easier, I would suggest supporting signing with a private key loaded from GitHub Encrypted Secret.

This will make Notation be a good solution to secure open-source project. Open-source project maintainers can easily sign their release binary assets in their release workflow with Notation GitHub Actions.

@FeynmanZhou FeynmanZhou added the enhancement New feature or request label Sep 20, 2023
@jeremyrickard
Copy link
Contributor

I think this would be really useful if OSS projects are a target for Notation. The requirement to have infrastructure in AWS or Azure is a pretty high bar for smaller projects, even in the CNCF ecosystem.

@FeynmanZhou
Copy link
Member Author

Agree with @jeremyrickard. There is a tradeoff between security and usability that we will need to consider. Are you able to join the Notary Project meeting to discuss this issue?

@FeynmanZhou FeynmanZhou changed the title Support using signing key from GitHub secret Support using signing key from GitHub Encrypted Secret Mar 6, 2024
@FeynmanZhou FeynmanZhou transferred this issue from notaryproject/notation-action Mar 7, 2024
Copy link

github-actions bot commented May 8, 2024

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.

@github-actions github-actions bot added the Stale label May 8, 2024
Copy link

github-actions bot commented Jun 7, 2024

Issue closed due to no activity in the past 30 days.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jun 7, 2024
@akashsinghal
Copy link

@FeynmanZhou is there any update on prioritizing this. Ratify project is looking to enable signing on image assets published to ghcr. It looks like current support will require us to maintain private key in Azure Key Vault. It's ok for Ratify since we already have existing Azure pipeline support however, I think it's barrier for adoption for smaller projects. Getting GH secret support would be best.

@FeynmanZhou FeynmanZhou added this to the Future milestone Jun 10, 2024
@FeynmanZhou FeynmanZhou reopened this Jun 10, 2024
@FeynmanZhou
Copy link
Member Author

@akashsinghal I will bring this topic to Notary Project community meeting on Jun 17. Feel free to join if you are convenient.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: In Progress
Development

No branches or pull requests

4 participants