Feature - Scorecard should sign releases with cosign

[naveensrinivasan]

Is your feature request related to a problem? Please describe.
Scorecard should sign when a new GitTag is pushed to using OIDC and Keyless Option https://github.com/sigstore/cosign

• Binaries
• Tarball
• The commit SHA COSIGN_EXPERIMENTAL=1 ./cosign sign-blob --key cosign.key <(git rev-parse HEAD) https://github.com/sigstore/cosign/blob/main/FUN.md

For now, it should sign with the gpg key and cosign (keyless option)

[naveensrinivasan]

This can be achieved by using goreleaser build hooks

  # Hooks can be used to customize the final binary,
    # for example, to run generators.
    # Those fields allow templates.
    # Default is both hooks empty.
   post:
       - cmd: sign.sh

https://goreleaser.com/customization/build/

[naveensrinivasan]

Here is the output of COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/distroless/base:nonroot

The subject is "Subject": "[email protected]"

[
  {
    "critical": {
      "identity": {
        "docker-reference": "gcr.io/distroless/base"
      },
      "image": {
        "docker-manifest-digest": "sha256:46d4514c17aca7a68559ee03975983339fc548e6d1014e2d7633f9123f2d3c59"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEQCIF3do8LYSm6VPqefOx5LCFLYd+b2688gRILpXCgv7yeAAiA4/zg5U8s2y3NbdE5VwUa5zNdnlM/ZYugxH2nFxwj7EQ==",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwYjkxM2QzNzI0N2RlYjU2YmYyNTM2MjQ2MDEyMGI3YzdhYWFlMWUzODIzODlhOTkxNmI3MzY4NzAxYjYzYzkxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQTd4QXU3enJMOW1GaCtMZy9McnFqcTNpR0M2OFhrQ05MeDBteXlVcFBFUEFpRUF5aG1uU2JiK0prd05wODRHZGtRYW9wSVM5dHhrSkc3LzRlUDVRVXJmQmI0PSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU4xYWtORFFXdERaMEYzU1VKQlowbFZRVTlIUjFkWmJ6Sk9kRE5UY2xCNFkyb3lMelp2Vmxoc1pGSkZkME5uV1VsTGIxcEplbW93UlVGM1RYY0tTMnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVrVjNSSGRaUkZaUlVVUkZkMmg2WVZka2VtUkhPWGxhVkVGbFJuY3dlUXBOVkVWM1RXcGplRTVxVlRGTlJFSmhSbmN3ZVUxVVJYZE5hbU40VG5wRk1FNVViR0ZOUVVGM1YxUkJWRUpuWTNGb2EycFBVRkZKUWtKblozRm9hMnBQQ2xCUlRVSkNkMDVEUVVGUmFXMUNkMWRKZVZkd2F6VkJSRFl2ZUZCSFRXWk1ieTlVUVhNNE5GZEJUbkZRSzFWeWN5dERiVzVuY0VJdlJsTnFPREJIV1hVS1RqQmhjRGMzYlVKRE9HMDRUVXhUVkVrNVkwaFpZbEZNWkdGQ1RVdzFZbkZ2TkVsQ1lrUkRRMEZYWjNkRVoxbEVWbEl3VUVGUlNDOUNRVkZFUVdkbFFRcE5RazFIUVRGVlpFcFJVVTFOUVc5SFEwTnpSMEZSVlVaQ2QwMUVUVUYzUjBFeFZXUkZkMFZDTDNkUlEwMUJRWGRJVVZsRVZsSXdUMEpDV1VWR1RWWkVDbU5YYUVKUVQxVXlNVGcyY1dWbGMzRmxjM1JNVlV4VmVFMUNPRWRCTVZWa1NYZFJXVTFDWVVGR1RXcEdTRkZDUW0xcFVYQk5iRVZyTm5jeWRWTjFNVXNLUW5SUWMwMUpSMDVDWjJkeVFtZEZSa0pSWTBKQlVWTkNaMFJDSzAxSWQwZERRM05IUVZGVlJrSjZRVU5vYmtKdlpFaFNkMDlwT0haalNFcHdaRzFHTUFwYVYwNW9URmRPZG1KdVVteGlibEYwVG1wQmVscHRWVE5hVkdOMFRVUkJkMDFETUhsTmFra3pURmRLYlU1NlZYUmFhbEp0VGxkVk5FMUhVWGxQVkZVd0NreHVUakJpTTBwb1dqSlZkVm95T1haYU1uaHNXVmhDY0dONU5XcGlNakIyV1RKRmVrNXRSWGhhVkdzeVRXcFJlVmxxYkcxWk1rbDRUa1JaZGxreVJYVUtXVE5LTUUxRVowZEJNVlZrUlZGRlFpOTNVWFZOUTNsQ1MyMTBiR1ZYZUd4ak0wNUJXa2RzZW1SSVNuWmlSMVo2WTNrMWNGbFhNSFZhTTA1c1kyNWFjQXBaTWxab1dUSk9kbVJYTlRCTWJVNTJZbFJCY0VKbmIzSkNaMFZGUVZsUEwwMUJSVUpDUW5SdlpFaFNkMk42YjNaTU1rWnFXVEk1TVdKdVVucE1iV1IyQ21JeVpITmFVelZxWWpJd2QwTm5XVWxMYjFwSmVtb3dSVUYzVFVSaFFVRjNXbEZKZUVGTVVqWkdaSGcwZVUxNFdEY3JlbGRJU2pSSlRrbHFTMHhxY2xJS2VucFZLekZtZERObU5VSlJWazF5UjAxV1RXRkJhR3RNVGpkdFNsZG5SakZSVm5JeGMwRkpkME5QUlcxdWMzTllURVZ0VERKamNGSm1abWxqVjFjeFRncE9iazFCUldGdFdqbEJVR2syWjJKWU5HOU9RaTlqYldsR09HWTFOMWxvWTFadVkwOHJNV0kwQ2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=",
          "integratedTime": 1635353701,
          "logIndex": 801413,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "Subject": "[email protected]"
    }
  },
  {
    "critical": {
      "identity": {
        "docker-reference": "gcr.io/distroless/base"
      },
      "image": {
        "docker-manifest-digest": "sha256:46d4514c17aca7a68559ee03975983339fc548e6d1014e2d7633f9123f2d3c59"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEQCIBRd84Tr6hRYfzrDNwoIbObgz5fnQiJ/v6GdNrbu03rsAiA6vWYUBXPHqajcXIqLIddC53L72P4hmnkHrAf23SeiuQ==",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwYjkxM2QzNzI0N2RlYjU2YmYyNTM2MjQ2MDEyMGI3YzdhYWFlMWUzODIzODlhOTkxNmI3MzY4NzAxYjYzYzkxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUQ0L28yci82VmhSS1J2c2xhMndkN2lwblAzTS9UaDVMZVVPa29ZbytVaVp3SWdLWnJqMHptRVVuVXRkcE1TckNuY1c3eFZtVXFodXB4VUU5dkw0NWRNUHlBPSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU4xVkVORFFXdERaMEYzU1VKQlowbFZRVTFGWlhOb1VqbDRNemRXYTI5RWNHeFdValF6UzBGWlNtdFJkME5uV1VsTGIxcEplbW93UlVGM1RYY0tTMnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVrVjNSSGRaUkZaUlVVUkZkMmg2WVZka2VtUkhPWGxhVkVGbFJuY3dlUXBOVkVWM1RXcGplRTU2UlhsTlZFSmhSbmN3ZVUxVVJYZE5hbU40VG5wTmVVMUViR0ZOUVVGM1YxUkJWRUpuWTNGb2EycFBVRkZKUWtKblozRm9hMnBQQ2xCUlRVSkNkMDVEUVVGU1ZXRllNMVYwVkdSNVpITldOMEY0VG1JMFJUZ3JWR1pTWkN0SWR6QmtVVmRFT1dKTFRHSkNNVU5GYUdWcUsyWnZZMnR3Y0RrS2FITnZNREEzVGxKSE1rOUdha2g2VUdkQ1dXVnVUVU14VkVWWlZGQlJSREp2TkVsQ1lrUkRRMEZYWjNkRVoxbEVWbEl3VUVGUlNDOUNRVkZFUVdkbFFRcE5RazFIUVRGVlpFcFJVVTFOUVc5SFEwTnpSMEZSVlVaQ2QwMUVUVUYzUjBFeFZXUkZkMFZDTDNkUlEwMUJRWGRJVVZsRVZsSXdUMEpDV1VWR1FrbzVDbE12T1U1eVdqUTFlRzB4YWxBcmJESkRNMU4yUlVWd01FMUNPRWRCTVZWa1NYZFJXVTFDWVVGR1RXcEdTRkZDUW0xcFVYQk5iRVZyTm5jeWRWTjFNVXNLUW5SUWMwMUpSMDVDWjJkeVFtZEZSa0pSWTBKQlVWTkNaMFJDSzAxSWQwZERRM05IUVZGVlJrSjZRVU5vYmtKdlpFaFNkMDlwT0haalNFcHdaRzFHTUFwYVYwNW9URmRPZG1KdVVteGlibEYwVG1wQmVscHRWVE5hVkdOMFRVUkJkMDFETUhsTmFra3pURmRLYlU1NlZYUmFhbEp0VGxkVk5FMUhVWGxQVkZVd0NreHVUakJpTTBwb1dqSlZkVm95T1haYU1uaHNXVmhDY0dONU5XcGlNakIyV1RKRmVrNXRSWGhhVkdzeVRXcFJlVmxxYkcxWk1rbDRUa1JaZGxreVJYVUtXVE5LTUUxRVowZEJNVlZrUlZGRlFpOTNVWFZOUTNsQ1MyMTBiR1ZYZUd4ak0wNUJXa2RzZW1SSVNuWmlSMVo2WTNrMWNGbFhNSFZhTTA1c1kyNWFjQXBaTWxab1dUSk9kbVJYTlRCTWJVNTJZbFJCY0VKbmIzSkNaMFZGUVZsUEwwMUJSVUpDUW5SdlpFaFNkMk42YjNaTU1rWnFXVEk1TVdKdVVucE1iV1IyQ21JeVpITmFVelZxWWpJd2QwTm5XVWxMYjFwSmVtb3dSVUYzVFVSYWQwRjNXa0ZKZDJGbGFGRnFXWFYyWkdsaUwzQm5UekpPVFVaQ1VtODRXbGt2ZFVzS1RUTlpObTA0UjBwUWN5dHBlRE5uVnpsSGR6ZERWREYwU0ZONWFsaDZjMnhNTUd4NVFXcENiR2RLTUZVMllsY3dXR2h3Tm1kcU9ISmxUbWh1ZGpSbVFRcGFNQ3R6U2xKdWJHOU5OMnQzUjNBNGJUQkNZVEpOY1ZacmNtTmhiM1pLYVdoM1JFUlJVVTA5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=",
          "integratedTime": 1635354731,
          "logIndex": 801774,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "Subject": "[email protected]"
    }
  }
]

And here is the output of the container that was pushed by GH Action COSIGN_EXPERIMENTAL=1 ~/temp/cosign verify ghcr.io/naveensrinivasan/stunning-tribble

The subject is "Subject": "https://github.com/naveensrinivasan/stunning-tribble/.github/workflows/docker-sign.yml@refs/heads/feat/keyless-signing"

[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/naveensrinivasan/stunning-tribble"
      },
      "image": {
        "docker-manifest-digest": "sha256:141e2110aeb16aa9d53de57d37a1664a408e366992ee017abc6ed049d1ec91f9"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEUCIDqOR4QP/xXYPgFmKM+b0Ry32LFqmU6Q6t4wr5cAsQlJAiEAxayIJF9JOUZbRHhIzVyHZDBLIr8WtcK1yCLt1t5CVsA=",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkMTAwMmFlYWQwZmMyMjU0Yjc2NTFjZTJlZGI4OTBhYTAzOWY4M2Q2NmMyNjljODRkMzdlOTc4ZjMzMWM4MzZmIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURUeWIzV0UwNTViQytBRWRKbzNhaHRoOVhsM1RVTmNnVkZaMzEwbFZNa0VRSWhBSXdMQ29wZlNOMjVqRC9PTWRWcDI5ZnRoRGVlR2h5dFpNdFF2ZWpDVjFiaSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVJHZWtORFFYQXlaMEYzU1VKQlowbFZRVTgzUW1OUk1raDNOVVpQYms1dFlreFFhbWN3VTNoQlZFNDRkME5uV1VsTGIxcEplbW93UlVGM1RYY0tTMnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVrVjNSSGRaUkZaUlVVUkZkMmg2WVZka2VtUkhPWGxhVkVGbFJuY3dlUXBOVkVWM1RYcEJlVTFFUlhkTlZGSmhSbmN3ZVUxVVJYZE5la0Y1VFVSTmQwMVVUbUZOUVVGM1YxUkJWRUpuWTNGb2EycFBVRkZKUWtKblozRm9hMnBQQ2xCUlRVSkNkMDVEUVVGU2VGa3hSakl3YW01d2VFdGxPRE5CZVRCRU0ydzVNSEpOU21KQlpXc3JlalpKTVhoblpsVnRlWGhoYzBOdVFXNVRRUzgwUmpnS2NrUk9kVWw2WWtneU9XaDJkU3N2VGxSSVMyRjFWVmg1ZUdsRFl5dENjRWh2TkVsQ2VWUkRRMEZqVlhkRVoxbEVWbEl3VUVGUlNDOUNRVkZFUVdkbFFRcE5RazFIUVRGVlpFcFJVVTFOUVc5SFEwTnpSMEZSVlVaQ2QwMUVUVUYzUjBFeFZXUkZkMFZDTDNkUlEwMUJRWGRJVVZsRVZsSXdUMEpDV1VWR1RXaHRDa1I1VFhOTWFUVlhTblZDWTJKdmRqaG9ZVzk0TlhGWWJFMUNPRWRCTVZWa1NYZFJXVTFDWVVGR1RXcEdTRkZDUW0xcFVYQk5iRVZyTm5jeWRWTjFNVXNLUW5SUWMwMUpSMDVDWjJkeVFtZEZSa0pSWTBKQlVWTkNaMFJDSzAxSWQwZERRM05IUVZGVlJrSjZRVU5vYmtKdlpFaFNkMDlwT0haalNFcHdaRzFHTUFwYVYwNW9URmRPZG1KdVVteGlibEYwVG1wQmVscHRWVE5hVkdOMFRVUkJkMDFETUhsTmFra3pURmRLYlU1NlZYUmFhbEp0VGxkVk5FMUhVWGxQVkZVd0NreHVUakJpTTBwb1dqSlZkVm95T1haYU1uaHNXVmhDY0dONU5XcGlNakIyV1RKRmVrNXRSWGhhVkdzeVRXcFJlVmxxYkcxWk1rbDRUa1JaZGxreVJYVUtXVE5LTUUxSlIwVkNaMDVXU0ZKRlFrRm1PRVZsYWtJMGFHNWFiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtSnRSakphVjFaMVl6TktjQXBpYld3eVdWaE9hR0pwT1hwa1NGWjFZbTFzZFZwNU1UQmpiV3hwV1cxNGJFeDVOVzVoV0ZKdlpGZEpkbVF5T1hsaE1scHpZak5rZWt3eVVuWlpNblJzQ21OcE1YcGhWMlIxVEc1c2RHSkZRbmxhVjFwNlRESm9iRmxYVW5wTU1scHNXVmhSZG1FeVZqVmlSMVo2WTNreGVtRlhaSFZoVnpWdVRVUnJSME5wYzBjS1FWRlJRbWMzT0hkQlVVVkZTekpvTUdSSVFucFBhVGgyWkVjNWNscFhOSFZaVjA0d1lWYzVkV041Tlc1aFdGSnZaRmRLTVdNeVZubFpNamwxWkVkV2RRcGtRelZxWWpJd2QwTm5XVWxMYjFwSmVtb3dSVUYzVFVSaFFVRjNXbEZKZDBsWmRHdHBaa2hXYWtwYVQyeGpkVWRWVFdwcVZuRjJWM2xEVlVSMlVsVlhDbVowY3pVMlNWZExhVzU0WkVabE1uTTBkVlk1YjJaUVpYUjNlRzEzZGpNdlFXcEZRU3N5UkVVcmNIVXZlVXRJZFdGM1dXWlhOMmRHVWtOeWR6TXlTMkVLUWxjdmFETjRZazlSUjNOSFJHRlZOM05UUkhOWVVrRjVaalZVY1V4VVVIQkNlUzlGQ2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=",
          "integratedTime": 1635624614,
          "logIndex": 810844,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "Subject": "https://github.com/naveensrinivasan/stunning-tribble/.github/workflows/docker-sign.yml@refs/heads/feat/keyless-signing"
    }
  }
]

@azeemshaikh38 / @laurentsimon This proves the Subject is not the author who pushed the tag. We discussed this in our meeting to confirm this.

Let me know if you have any other questions.

[azeemshaikh38]

This looks great! But since this is for a docker image, and we are concerned with the release artifacts in this issue, want to clarify that my understanding translates well:

• Can we upload the .sig file along with the released artifact? For example, along with scorecard_x.x.x_linux_amd64.tar.gz upload a scorecard_x.x.x_linux_amd64.sig file.
• Is it possible to add a GIT_SHA annotation when signing?
• The expected Subject in this case would be github.com/ossf/scorecard/blob/main/.github/workflows/goreleaser.yaml, correct?

@asraa for any additional feedback.

[asraa]

This proves the Subject is not the author who pushed the tag. We discussed this in our meeting to confirm this.

Yeah, to get around this you would need the workflow to sign with an annotation over the GIT_SHA, and then have the author sign the GIT_SHA

Is it possible to add a GIT_SHA annotation when signing?

Yes, with cosign sign -a git_sha=$GITHUB_SHA $IMG

Can we upload the .sig file along with the released artifact? For example, along with scorecard_x.x.x_linux_amd64.tar.gz upload a scorecard_x.x.x_linux_amd64.sig file.

Yes, you can detach the signature with cosign and upload it

The expected Subject in this case would be github.com/ossf/scorecard/blob/main/.github/workflows/goreleaser.yaml, correct?

Yes, but also with github.com/ossf/scorecard/blob/main/.github/workflows/goreleaser.yaml@refs/$REF

[azeemshaikh38]

Awesome, thanks @asraa! So along with cosign sign, we need the -a git_sha annotation and a step to upload the .sig files.

@naveensrinivasan let me know if you are interested in taking this.

[asraa]

It could be removed with sigstore/fulcio#208 resolved, but yes!

[naveensrinivasan]

Awesome, thanks @asraa! So along with cosign sign, we need the -a git_sha annotation and a step to upload the .sig files.

@naveensrinivasan let me know if you are interested in taking this.

I will take it. Thanks

[laurentsimon]

Is the plan to sign in a GH workflow or from GCP?

[naveensrinivasan]

Is the plan to sign in a GH workflow or from GCP?

GH Workflow.

[naveensrinivasan]

This proves the Subject is not the author who pushed the tag. We discussed this in our meeting to confirm this.

Yeah, to get around this you would need the workflow to sign with an annotation over the GIT_SHA, and then have the author sign the GIT_SHA

Is it possible to add a GIT_SHA annotation when signing?

Yes, with cosign sign -a git_sha=$GITHUB_SHA $IMG

@asraa The cosign sign-blob does not have -a, --annotations

[asraa]

@asraa The cosign sign-blob does not have -a, --annotations

Ah, this is true. Blobs don't have layers so annotations can't be stored there. In that case it will need to come from the cert from issue sigstore/fulcio#208

You may still sign-blob with keyless, but the GIT_SHA will be missing until that issue is resolved.

[naveensrinivasan]

@asraa The cosign sign-blob does not have -a, --annotations

Ah, this is true. Blobs don't have layers so annotations can't be stored there. In that case it will need to come from the cert from issue sigstore/fulcio#208

You may still sign-blob with keyless, but the GIT_SHA will be missing until that issue is resolved.

Thanks, Do you have an idea as to when is it likely to be worked up on sigstore/fulcio#208?

[asraa]

Should be in pretty soon! You can still use sign-blob as is, just won't see git_sha in the cert yet.

[azeemshaikh38]

Should be in pretty soon! You can still use sign-blob as is, just won't see git_sha in the cert yet.

+1

[naveensrinivasan]

Should be in pretty soon! You can still use sign-blob as is, just won't see git_sha in the cert yet.

Thanks!

[naveensrinivasan]

Ran into this issue sigstore/cosign#990

[naveensrinivasan]

@asraa Ran into this issue sigstore/rekor#481

[naveensrinivasan]

sigstore/cosign#1001

[azeemshaikh38]

Marking #1126 as a duplicate of this and closing the other issue.

[developer-guy]

Keyless mode is not the only option for providing provenance. There are other ways to do the same thing like the following (I mentioned them in the issue that was closed a while ago):

• https://goreleaser.com/customization/sign/#signing-with-cosign
• https://github.com/sigstore/cosign/blob/main/.goreleaser.yml#L127
• https://carlosbecker.com/posts/goreleaser-cosign/
• https://blog.ediri.io/build-trust-with-signing-your-cli-binary-and-container

[developer-guy]

This one is for keyless mode 👌

• https://www.appvia.io/blog/tutorial-keyless-sign-and-verify-your-container-images
• https://chainguard.dev/posts/2021-11-03-zero-friction-keyless-signing
• https://shibumi.dev/posts/first-look-into-cosign/

[developer-guy]

@azeemshaikh38, this issue also duplicates with #309 🤔

[laurentsimon]

looks like goreleaser/goreleaser#2659 will make everything simpler, thanks to @developer-guy

[naveensrinivasan]

Keyless still has an issue in rekor when uploading binaries sigstore/rekor#481. Till there is a solution for this we cannot sign-blob using keyless.

[azeemshaikh38]

Keyless mode is not the only option for providing provenance. There are other ways to do the same thing like the following

Thanks @developer-guy! Looks like the goreleaser option would be the simplest/easiest to implement. Any advantages or reasons to prefer the keyless way over this? @naveensrinivasan @developer-guy for feedback.

this issue also duplicates with #309

It's related, but it's for the Docker container images rather than the release artifacts. So keeping it open since this issue does not solve #309.

[developer-guy]

Hello @azeemshaikh38, I have great news for you. Recently, we've opened an issue in GoReleaser to support keyless mode.¹ There are lots of helpful information and conversation in there. I highly recommend you to take a look at those. Also, we already did some work on the ko project to adapt to these new changes², and we are now waiting for the new releases for both cosign and GoReleaser projects. We can do the same for the scorecard project too 🙋🏻‍♂️

Footnotes

1. https://github.com/goreleaser/goreleaser/issues/2659 ↩

2. https://github.com/google/ko/pull/498 ↩

[naveensrinivasan]

Keyless mode is not the only option for providing provenance. There are other ways to do the same thing like the following

Thanks @developer-guy! Looks like the goreleaser option would be the simplest/easiest to implement. Any advantages or reasons to prefer the keyless way over this? @naveensrinivasan @developer-guy for feedback.

this issue also duplicates with #309

It's related, but it's for the Docker container images rather than the release artifacts. So keeping it open since this issue does not solve #309.

Advantages of Keyless https://github.com/sigstore/cosign/blob/main/KEYLESS.md https://docs.google.com/document/d/189w4Fp1GEA1b2P633HyqTwtcWFNTu_Af4meolMa_1_8/edit?resourcekey=0-QoqNqcHXvSuPnMUdn8RGOQ# @dlorenc wrote about this.

Like I mentioned before Keyless signing of blobs is not possible until the rekor issue is fixed sigstore/rekor#481

We already have gpg singing our binaries, so we aren't missing signing.

The only advantage of signing our binaries with cosign public key/private key to sign our binaries is that we get the transparency log entry (rekor) compared to gpg.

So we should wait until we get the KeyLess option and also Keyless is still experimental and not yet GA.

[developer-guy]

@naveensrinivasan @azeemshaikh38 this blog post¹ also explains why is “keyless” better than conventional signing?.

Footnotes

1. https://chainguard.dev/posts/2021-11-03-zero-friction-keyless-signing ↩

[developer-guy]

@naveensrinivasan @azeemshaikh38 GoReleaser v1.0.0 has just been released and is ready for the Keyless signing with cosign.

https://github.com/goreleaser/goreleaser/releases/tag/v1.0.0.

[naveensrinivasan]

@naveensrinivasan @azeemshaikh38 GoReleaser v1.0.0 has just been released and is ready for the Keyless signing with cosign.

https://github.com/goreleaser/goreleaser/releases/tag/v1.0.0.

Thanks

[azeemshaikh38]

@naveensrinivasan does this unblock us now from implementing this issue or do we have pending blockers still?

[naveensrinivasan]

Till this fixed sigstore/rekor#481 no one can use rekor with large files for signing blob. So it is still a blocker.

[azeemshaikh38]

Makes sense, thanks!

[evverx]

I heard about cosign but have never used it. I wonder if it's production-ready so to speak in the sense that it could be easily used by people packaging software to verify tarballs and maybe could even be integrated into package managers? So far everybody seems to have been using GPG partly because it seems to be everywhere.

(I'm sorry if it's completely off-topic here. I'm just trying to figure out what cosign is and whether it could potentially be used to sign releases consumed downstream somewhere)

[evverx]

While I was experimenting with signing and verifying blobs without keys I came across https://github.com/sigstore/cosign#what--is-not--production-ready, which I think answers my question regarding whether cosign is production-ready or not. I should have probably read the documentation first :-)

Looking for packages I noticed that it seems it's packaged on Arch Linux only: https://archlinux.org/packages/community/x86_64/cosign/ so my takeaway is that cosign looks promising but it doesn't seem to be possible to switch to it at this point unfortunately if releases are supposed to be verified by people packaging software for various distributions.

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[spencerschrock]

Completed by #1702 and/or #2146