Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: validates signatures against the images if they exist in the images spec #2324

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat: validates signatures against the images if they exist in the images spec #2324

wants to merge 3 commits into from

Conversation

waveywaves
Copy link
Contributor

Description

Validate images using cosign signatures if they exist in the images spec

Related Issue

Fixes #2257

Relates to #

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@netlify Netlify
Copy link

netlify bot commented Feb 22, 2024
edited

Deploy Preview for zarf-docs canceled.

Name Link
🔨 Latest commit ae16a03
🔍 Latest deploy log https://app.netlify.com/sites/zarf-docs/deploys/65d75a96c395190008523198

@waveywaves
Copy link
Contributor Author

waveywaves commented Feb 22, 2024
edited

Would we have to pull the image down and then use that blob to use for the verification
Also another question about cosign.pub. From what I understand providing a local cosign.pub is deprecated (?). Would a user have to provide another public key for verification using a env var or a flag during package create or something else.

cc @Racer159

@Racer159
Copy link
Contributor

Would we have to pull the image down and then use that blob to use for the verification Also another question about cosign.pub. From what I understand providing a local cosign.pub is deprecated (?). Would a user have to provide another public key for verification using a env var or a flag during package create or something else.

cc @Racer159

The cosign.pub verification to my understanding isn't deprecated (would be interesting to see where you saw that - I don't see anything in cosign running locally), but also isn't the primary method to verify cosign signatures because it doesn't use the more modern keyless infrastructure. For Zarf's use cases though (working in an airgap/offline) we have largely supported the cosign keys since they are much easier to take into airgaps to perform verification.

This particular issue may require more design though before we can tackle it (it was originally split from an issue that had a few separate issues in it) since there are a few scenarios we should consider. Many organizations may have a common key they resign things with in a registry mirror like artifactory but there would likely be many more that would want to manage different keys or different verification schemes for their images (i.e. if they had images from multiple sources or teams). CC @eddiezane for his thoughts on this as well.

@Noxsios Noxsios changed the title (feat) validates signatures against the images if they exist in the images spec feat: validates signatures against the images if they exist in the images spec Feb 23, 2024
@waveywaves
Copy link
Contributor Author

@Racer159 saw that cosignPublicKeyPath was deprecated here

https://github.com/defenseunicorns/zarf/blob/main/src/types/component.go#L34-L35

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dgershman dgershman Awaiting requested review from dgershman dgershman will be requested when the pull request is marked ready for review dgershman is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Zarf Project Board
Status: New
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validate cosign signatures if included in images
2 participants
@waveywaves @Racer159