Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign Dependabot container images #9546

Closed
JamieMagee opened this issue Apr 20, 2024 · 2 comments
Closed

Sign Dependabot container images #9546

JamieMagee opened this issue Apr 20, 2024 · 2 comments
Assignees
@JamieMagee
Labels
L: git:submodules Git submodules L: github:actions GitHub Actions T: tech-debt ⚙️

Comments

@JamieMagee
Copy link
Contributor

Code improvement description

Signing generated containers allows us (and any external users) to verify that a container image actually came from us. With GitHub Actions support for OIDC 1 it's possible to use cosign 2 to sign containers in GitHub Actions without any human interaction or storing long-lived keys as secrets.

Here's a GitHub blog post on the same topic: https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/

Footnotes

  1. https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/

  2. https://github.com/sigstore/cosign

@github-actions github-actions bot added L: git:submodules Git submodules L: github:actions GitHub Actions labels Apr 20, 2024
@JamieMagee JamieMagee mentioned this issue Apr 20, 2024
Closed
@Nishnha Nishnha mentioned this issue Apr 23, 2024
Merged
@JamieMagee
Copy link
Contributor Author

It worked for the branch images. Here's the logs for the Bundler image from #9571

Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at [https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.](https://lfprojects.org/policies/hosted-project-tools-terms-of-use/)
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at [https://lfprojects.org/policies/hosted-project-tools-immutable-records/.](https://lfprojects.org/policies/hosted-project-tools-immutable-records/)

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
tlog entry created with index: 88201941
Pushing signature to: ghcr.io/dependabot/dependabot-updater-bundler

I can view that record on Rekor: https://search.sigstore.dev/?logIndex=88201941

And I can also verify the claims and certificates using cosign

$ cosign verify \
  ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513 \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-branch.yml@refs/pull/9571/merge

Verification for ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

...

The rest of the output is quite large, so I've put it below:

Expand for details 
[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/dependabot/dependabot-updater-bundler"
      },
      "image": {
        "docker-manifest-digest": "sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
      "1.3.6.1.4.1.57264.1.2": "pull_request",
      "1.3.6.1.4.1.57264.1.3": "04e44db333752305ff158277a737f260da674f14",
      "1.3.6.1.4.1.57264.1.4": "Branch images",
      "1.3.6.1.4.1.57264.1.5": "dependabot/dependabot-core",
      "1.3.6.1.4.1.57264.1.6": "refs/pull/9571/merge",
      "Bundle": {
        "SignedEntryTimestamp": "MEQCIEDfF7Cwl1jvWw+Hvg1RAWKFt5OhEHQsYqYCfRgnFDx1AiAJQJ2nvBvHtBVf95Ln5hzXTcs2JAFI4LPQ3CfDqTPWbA==",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxMzFmYTc1MDBmNzBjNzA5YmEzMjM4OGFkNzBhYTgzYWQwNGJhZDQwN2FmZjI3NmRlZjgxMjMyMGU2YjYwYjg2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQ3BxK2RaZllnM0NPR2hkVnBMb0o5YUVLNDZXdncyKzl4VmUrd1IvN0x3S0FpQWNVTXFPQ2F0bTI5ZlFjN0liK0c3bHFlaDFCR0hOOWFsRDBkcTFTREFzSmc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaEhha05EUW5GRFowRjNTVUpCWjBsVlFtOUVVVWQxTUV0bGNrcHBWU3RPYkd0c1lXbHZZbHBoUml0TmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDVFU1RCTlJFa3hUa1JKTlZkb1kwNU5hbEYzVGtSSk1FMUVUWGRPUkVrMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZIVnpSR1dHUllUSEJ6Y2tocE5WWk5ibTVEWkROa1NUQkNlbWxHU0hkSlNFcEphMGNLTDJGSlZqQmlUSEF2ZUZrMmJIVllTSEo0VVdrMVpWQkxWMU5PWlc1ekswVllka1ZzTkRKbVdXaEZRakowT0ZsdloyRlBRMEppT0hkbloxYzNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlVyWWxWRUNtSXJlV05NVFdJdlYzUXljRzFaVm14cFdIcHRieXRKZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJSQldVUldVakJTUVZGSUwwSkhiM2RoU1ZwdFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKU2JHTkhWblZhUjBacFlqTlJkZ3BhUjFaM1dsYzFhMWxYU25aa1F6RnFZak5LYkV4NU5XNWhXRkp2WkZkSmRtUXlPWGxoTWxwellqTmtla3d5YkhSWlYyUnNZM2t4YVdOdFJuVlpNbWQxQ21WWE1YTlJTRXBzV201TmRtTklWbk5pUXpnMVRsUmplRXd5TVd4amJXUnNUVVJyUjBOcGMwZEJVVkZDWnpjNGQwRlJSVVZMTW1nd1pFaENlazlwT0hZS1pFYzVjbHBYTkhWWlYwNHdZVmM1ZFdONU5XNWhXRkp2WkZkS01XTXlWbmxaTWpsMVpFZFdkV1JETldwaU1qQjNSMmRaUzB0M1dVSkNRVWRFZG5wQlFncEJaMUZOWTBoV2MySkdPWGxhV0VZeFdsaE9NRTFFV1VkRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSQk1GcFVVVEJhUjBsNlRYcE5NMDVVU1hwTlJGWnRDbHBxUlRGUFJFa3pUakpGTTAxNlpHMU5hbGwzV2tkRk1rNTZVbTFOVkZGM1IzZFpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVVNVJia3BvWW0xT2IwbEhiSFFLV1Zka2JHTjZRVzlDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa0p3YTFwWVFteGliVkpvV1cwNU1Fd3lVbXhqUjFaMVdrZEdhV0l6VVhSWk1qbDVXbFJCYVFwQ1oyOXlRbWRGUlVGWlR5OU5RVVZIUWtKU2VWcFhXbnBNTTBJeFlrZDNkazlVVlROTlV6bDBXbGhLYmxwVVFUZENaMjl5UW1kRlJVRlpUeTlOUVVWSkNrSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFaRU0xYW1JeU1IY0taR2RaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbTlFUjFwdlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyV2tkV2QxcFhOV3RaVjBwMlpFTTVhd3BhV0VKc1ltMVNhRmx0T1RCTVYwNTJZMjFWZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbUZYTVdoYU1sWjZURmRLZVZsWE5XcGhRelUxQ21KWGVFRmpiVlp0WTNrNWQyUlhlSE5NZW1zeFRucEZkbUpYVm5sYU1sVjNUMEZaUzB0M1dVSkNRVWRFZG5wQlFrTm5VWEZFUTJkM1RrZFZNRTVIVW1rS1RYcE5lazU2VlhsTmVrRXhXbTFaZUU1VVozbE9lbVJvVG5wTk0xcHFTVEpOUjFKb1RtcGpNRnBxUlRCTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGelJRcEVkM2RPV2pKc01HRklWbWxNVjJoMll6TlNiRnBFUVRsQ1oyOXlRbWRGUlVGWlR5OU5RVVZOUWtNNFRVeFhhREJrU0VKNlQyazRkbG95YkRCaFNGWnBDa3h0VG5aaVV6bHJXbGhDYkdKdFVtaFpiVGt3VERKU2JHTkhWblZhUjBacFlqTlJkRmt5T1hsYVZFRTBRbWR2Y2tKblJVVkJXVTh2VFVGRlRrSkRiMDBLUzBSQk1GcFVVVEJhUjBsNlRYcE5NMDVVU1hwTlJGWnRXbXBGTVU5RVNUTk9Na1V6VFhwa2JVMXFXWGRhUjBVeVRucFNiVTFVVVhkS1FWbExTM2RaUWdwQ1FVZEVkbnBCUWtSblVWZEVRbEo1V2xkYWVrd3pRakZpUjNkMlQxUlZNMDFUT1hSYVdFcHVXbFJCV1VKbmIzSkNaMFZGUVZsUEwwMUJSVkJDUVc5TkNrTkVhM3BOVkZsNlRVUmplazFETUVkRGFYTkhRVkZSUW1jM09IZEJVa0ZGU0hkM1pHRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eVVtd0tZMGRXZFZwSFJtbGlNMUYzUjBGWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVV0RVFXZDVUbnBOTUU1NlVUTk9ha0l5UW1kdmNrSm5SVVZCV1U4dlRVRkZVd3BDUjJkTldtMW9NR1JJUW5wUGFUaDJXakpzTUdGSVZtbE1iVTUyWWxNNWExcFlRbXhpYlZKb1dXMDVNRXd5VW14alIxWjFXa2RHYVdJelVYUlpNamw1Q2xwVE9IVmFNbXd3WVVoV2FVd3paSFpqYlhSdFlrYzVNMk41T1hCaVYwWnVXbGhOZEZsdVNtaGliVTV2VEc1c2RHSkZRbmxhVjFwNlRETkNNV0pIZDNZS1QxUlZNMDFUT1hSYVdFcHVXbFJCTkVKbmIzSkNaMFZGUVZsUEwwMUJSVlJDUTI5TlMwUkJNRnBVVVRCYVIwbDZUWHBOTTA1VVNYcE5SRlp0V21wRk1RcFBSRWt6VGpKRk0wMTZaRzFOYWxsM1drZEZNazU2VW0xTlZGRjNTRUZaUzB0M1dVSkNRVWRFZG5wQlFrWkJVVTlFUVhoM1pGZDRjMWd6U214aldGWnNDbU16VVhkWlFWbExTM2RaUWtKQlIwUjJla0ZDUmxGU1UwUkdRbTlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmFSMVozV2xjMWExbFhTbllLWkVNNWExcFlRbXhpYlZKb1dXMDVNRXhYVG5aamJWVjJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZaelJOVkVGNlRWUkJlVTU2YTNaWldGSXdXbGN4ZHdwa1NFMTJUVlJCVjBKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhVkZaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamRDU0d0QkNtUjNRakZCVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcWR6UkhjbUUwUVVGQlVVUUtRVVZaZDFKQlNXZEpUbFZPUVRaM1pFSkllU3Q2UXl0aVREQnhVR0ZNZDA5UmNWWXliVmRKY0c4eVNGZFJUWGxMTVZOclEwbEVkMmgwVTJOTFFXVnBOd3AzT0V3eGNWSTJTbkZGWW1WcU4wTjRhVTVFTUZod1MxZEpZMGREVlZKV1RVMUJiMGREUTNGSFUwMDBPVUpCVFVSQk1tZEJUVWRWUTAxUlJHVkpSekJGQ2tONmNuRjNTWEZvUTNBeWRubHhSSFpQYW1NeVZteHJjWEJwY0VKNVRXYzFPVTVuYlRocU1EWlRZVWRJTDBSdGJTdHFZelZEVmpGMlVtNWpRMDFETVdVS05rUlhUbXB3YjJWcVFVVm5PRkJySzFkc2RETkhPRTQwS3pGc2NYTmhVMk5aWW5sNE5sSjNPRXgyUmpZME16TlpRV2h5U2pSb1RHRTNRV1Z0V1hjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0ifX19fQ==",
          "integratedTime": 1713927270,
          "logIndex": 88201941,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "Issuer": "https://token.actions.githubusercontent.com",
      "Subject": "https://github.com/dependabot/dependabot-core/.github/workflows/images-branch.yml@refs/pull/9571/merge",
      "githubWorkflowName": "Branch images",
      "githubWorkflowRef": "refs/pull/9571/merge",
      "githubWorkflowRepository": "dependabot/dependabot-core",
      "githubWorkflowSha": "04e44db333752305ff158277a737f260da674f14",
      "githubWorkflowTrigger": "pull_request"
    }
  }
]

The signature is also published to our container registry. For the same bundler image I mentioned above:

ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513

The signature is available at:

ghcr.io/dependabot/dependabot-updater-bundler:sha256-32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513.sig

This allows us, and others, to verify where Dependabot container images were built.

Now that this is verified working, and backwards compatible, I think this can be merged and signing can be rolled out to the rest of the containers we push as well.

@JamieMagee JamieMagee self-assigned this Apr 24, 2024
This was referenced Apr 24, 2024
Open
Closed
Merged
@JamieMagee
Copy link
Contributor Author

JamieMagee commented Apr 29, 2024
edited

With #9616 merged and deployed all production images will now be signed with cosign going forward.

$ cosign verify \
  ghcr.io/dependabot/dependabot-updater-bundler:latest \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-latest.yml@refs/heads/main

...

@JamieMagee JamieMagee mentioned this issue Apr 30, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JamieMagee JamieMagee

Labels
L: git:submodules Git submodules L: github:actions GitHub Actions T: tech-debt ⚙️
Projects
Dependabot
Status: Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JamieMagee