Feature - Sign scorecard container with cosign

[naveensrinivasan]

Is your feature request related to a problem? Please describe.
Sign scorecard containers with cosign

[naveensrinivasan]

Now that https://github.com/sigstore/cosign 1.0 we could use it for signing.

Thoughts @inferno-chromium @azeemshaikh38

[azeemshaikh38]

On a high-level the idea sounds good to me. I don't understand cosign a 100% though. Do you mind sketching out what this would look like, ie. would this be done through CloudBuild, any major changes that would be required etc.?

[azeemshaikh38]

@naveensrinivasan assigning this to you as per yesterday's discussion. Lets come up with a one-pager proposal here to submit in the TAC meeting

[developer-guy]

I have the following recommendations:

• I saw, scorecard project uses the GoReleaser project to make a release, In GoReleaser v0.176.0 (both OSS and Pro) released with the ability to sign Docker images.
  👉 https://carlosbecker.com/posts/goreleaser-cosign/
• The second approach would be, generating public/private keys, store them within the repository and store the password on the GitHub Secrets, and use them within the GitHub Action. Of course, we are developing another improvement about generating key pairs and storing them on GitHub Secrets without manually doing it.
  👉 add github&gitlab reference support to generate-key-pair sigstore/cosign#848
  👉 cosign: sign golang-cross-builder images with cosign gythialy/golang-cross#31

[naveensrinivasan]

Thank you @developer-guy! We are tracking this part of this larger issue #1051

We want to come up with a plan of it being SLSA compliant.

• We still haven't yet decided on whether to use GitHub for signing the keys or use google for signing the keys and also the provenance that comes along for it to be SLSA compliant.
• Once we decide that then it should be easy.
• If you have any recommendations more than happy to hear on the Feature: scorecard builds comply with SLSA #1051

[laurentsimon]

Would OIDC be an option? This way we don't need a special workflow to generate keys and store them in GH secrets, and we also get built-in key rotation.

[laurentsimon]

@asraa FYI

[naveensrinivasan]

Yes, that would be a great option for signing containers.

Signing blob(scorecard binary) is easy. But verifying is jumping through lots of hoops. I am trying that the tooling isn’t there yet.

Also we need to understand if it suffices the SLDA requirements.

[developer-guy]

hello @azeemshaikh38 @naveensrinivasan, here is the keyless image signing example with GoReleaser recently created as a sample project¹, thanks to @caarlos0, of course, you can find an example of signing checksum also, here is the related tweet²

Sample 1: Signing Container Images

docker_signs:
  - cmd: cosign
    env:
    - COSIGN_EXPERIMENTAL=1
    artifacts: images
    args:
    - 'sign'
    - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
    - '${artifact}'

Sample 2: Signing checksums.txt file

docker_signs:
  - cmd: cosign
    env:
    - COSIGN_EXPERIMENTAL=1
    artifacts: images
    args:
    - 'sign'
    - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
    - '${artifact}'

Footnotes

1. https://github.com/caarlos0-graveyard/gorel-keyless ↩

2. https://twitter.com/caarlos0/status/1462609279156994056?s=20 ↩

[justaugustus]

Cross-linking a few things from Kubernetes tracking:

• Signing release artifacts: Signing Release Artifacts kubernetes/enhancements#3031
• SLSA Level 3 Compliance in the Kubernetes Release Process: SLSA Level 3 Compliance in the Kubernetes Release Process kubernetes/enhancements#3027
• Signing artifacts with cosign: Signing artifacts with cosign kubernetes/release#2227
• Implement container image signing MVP (KEP-3031): Implement container image signing MVP (KEP-3031) kubernetes/release#2383
• KEP (Kubernetes Enhancement Proposal): https://github.com/kubernetes/enhancements/tree/master/keps/sig-release/3031-signing-release-artifacts

[developer-guy]

kindly ping @naveensrinivasan, what needs to be done? 🙏

[laurentsimon]

We could also wait for the slsa-generator to have support for container (laster this month), and use that with GoReleaser.
I think some of our images use ko as well.

/cc @ianlewis

[afmarcum]

Is this something that still needs to be discussed?
If there is no feedback in the next 7 days on whether this remains important for the project, then this issue will be closed.