Sign branch images with cosign

[Nishnha]

Local branch of #9547

An initial implementation of #9546 for branch images

cc/ @JamieMagee

[JamieMagee]

Thanks @Nishnha. It looks like the push updater images step is still being skipped for some reason 🤷

[Nishnha]

I think it may require a codeowners approval

[JamieMagee]

Ah, you're right. It needs maintainer approval.

[JamieMagee]

It looks like it worked 🎉

Here's the logs for the Bundler image

Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at [https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.](https://lfprojects.org/policies/hosted-project-tools-terms-of-use/)
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at [https://lfprojects.org/policies/hosted-project-tools-immutable-records/.](https://lfprojects.org/policies/hosted-project-tools-immutable-records/)

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
tlog entry created with index: 88201941
Pushing signature to: ghcr.io/dependabot/dependabot-updater-bundler

I can view that record on Rekor: https://search.sigstore.dev/?logIndex=88201941

And I can also verify the claims and certificates using cosign

$ cosign verify \
  ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513 \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-branch.yml@refs/pull/9571/merge

Verification for ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

...

The rest of the output is quite large, so I've put it below:

Expand for details

[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/dependabot/dependabot-updater-bundler"
      },
      "image": {
        "docker-manifest-digest": "sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
      "1.3.6.1.4.1.57264.1.2": "pull_request",
      "1.3.6.1.4.1.57264.1.3": "04e44db333752305ff158277a737f260da674f14",
      "1.3.6.1.4.1.57264.1.4": "Branch images",
      "1.3.6.1.4.1.57264.1.5": "dependabot/dependabot-core",
      "1.3.6.1.4.1.57264.1.6": "refs/pull/9571/merge",
      "Bundle": {
        "SignedEntryTimestamp": "MEQCIEDfF7Cwl1jvWw+Hvg1RAWKFt5OhEHQsYqYCfRgnFDx1AiAJQJ2nvBvHtBVf95Ln5hzXTcs2JAFI4LPQ3CfDqTPWbA==",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxMzFmYTc1MDBmNzBjNzA5YmEzMjM4OGFkNzBhYTgzYWQwNGJhZDQwN2FmZjI3NmRlZjgxMjMyMGU2YjYwYjg2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQ3BxK2RaZllnM0NPR2hkVnBMb0o5YUVLNDZXdncyKzl4VmUrd1IvN0x3S0FpQWNVTXFPQ2F0bTI5ZlFjN0liK0c3bHFlaDFCR0hOOWFsRDBkcTFTREFzSmc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaEhha05EUW5GRFowRjNTVUpCWjBsVlFtOUVVVWQxTUV0bGNrcHBWU3RPYkd0c1lXbHZZbHBoUml0TmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDVFU1RCTlJFa3hUa1JKTlZkb1kwNU5hbEYzVGtSSk1FMUVUWGRPUkVrMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZIVnpSR1dHUllUSEJ6Y2tocE5WWk5ibTVEWkROa1NUQkNlbWxHU0hkSlNFcEphMGNLTDJGSlZqQmlUSEF2ZUZrMmJIVllTSEo0VVdrMVpWQkxWMU5PWlc1ekswVllka1ZzTkRKbVdXaEZRakowT0ZsdloyRlBRMEppT0hkbloxYzNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlVyWWxWRUNtSXJlV05NVFdJdlYzUXljRzFaVm14cFdIcHRieXRKZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJSQldVUldVakJTUVZGSUwwSkhiM2RoU1ZwdFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKU2JHTkhWblZhUjBacFlqTlJkZ3BhUjFaM1dsYzFhMWxYU25aa1F6RnFZak5LYkV4NU5XNWhXRkp2WkZkSmRtUXlPWGxoTWxwellqTmtla3d5YkhSWlYyUnNZM2t4YVdOdFJuVlpNbWQxQ21WWE1YTlJTRXBzV201TmRtTklWbk5pUXpnMVRsUmplRXd5TVd4amJXUnNUVVJyUjBOcGMwZEJVVkZDWnpjNGQwRlJSVVZMTW1nd1pFaENlazlwT0hZS1pFYzVjbHBYTkhWWlYwNHdZVmM1ZFdONU5XNWhXRkp2WkZkS01XTXlWbmxaTWpsMVpFZFdkV1JETldwaU1qQjNSMmRaUzB0M1dVSkNRVWRFZG5wQlFncEJaMUZOWTBoV2MySkdPWGxhV0VZeFdsaE9NRTFFV1VkRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSQk1GcFVVVEJhUjBsNlRYcE5NMDVVU1hwTlJGWnRDbHBxUlRGUFJFa3pUakpGTTAxNlpHMU5hbGwzV2tkRk1rNTZVbTFOVkZGM1IzZFpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVVNVJia3BvWW0xT2IwbEhiSFFLV1Zka2JHTjZRVzlDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa0p3YTFwWVFteGliVkpvV1cwNU1Fd3lVbXhqUjFaMVdrZEdhV0l6VVhSWk1qbDVXbFJCYVFwQ1oyOXlRbWRGUlVGWlR5OU5RVVZIUWtKU2VWcFhXbnBNTTBJeFlrZDNkazlVVlROTlV6bDBXbGhLYmxwVVFUZENaMjl5UW1kRlJVRlpUeTlOUVVWSkNrSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFaRU0xYW1JeU1IY0taR2RaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbTlFUjFwdlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyV2tkV2QxcFhOV3RaVjBwMlpFTTVhd3BhV0VKc1ltMVNhRmx0T1RCTVYwNTJZMjFWZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbUZYTVdoYU1sWjZURmRLZVZsWE5XcGhRelUxQ21KWGVFRmpiVlp0WTNrNWQyUlhlSE5NZW1zeFRucEZkbUpYVm5sYU1sVjNUMEZaUzB0M1dVSkNRVWRFZG5wQlFrTm5VWEZFUTJkM1RrZFZNRTVIVW1rS1RYcE5lazU2VlhsTmVrRXhXbTFaZUU1VVozbE9lbVJvVG5wTk0xcHFTVEpOUjFKb1RtcGpNRnBxUlRCTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGelJRcEVkM2RPV2pKc01HRklWbWxNVjJoMll6TlNiRnBFUVRsQ1oyOXlRbWRGUlVGWlR5OU5RVVZOUWtNNFRVeFhhREJrU0VKNlQyazRkbG95YkRCaFNGWnBDa3h0VG5aaVV6bHJXbGhDYkdKdFVtaFpiVGt3VERKU2JHTkhWblZhUjBacFlqTlJkRmt5T1hsYVZFRTBRbWR2Y2tKblJVVkJXVTh2VFVGRlRrSkRiMDBLUzBSQk1GcFVVVEJhUjBsNlRYcE5NMDVVU1hwTlJGWnRXbXBGTVU5RVNUTk9Na1V6VFhwa2JVMXFXWGRhUjBVeVRucFNiVTFVVVhkS1FWbExTM2RaUWdwQ1FVZEVkbnBCUWtSblVWZEVRbEo1V2xkYWVrd3pRakZpUjNkMlQxUlZNMDFUT1hSYVdFcHVXbFJCV1VKbmIzSkNaMFZGUVZsUEwwMUJSVkJDUVc5TkNrTkVhM3BOVkZsNlRVUmplazFETUVkRGFYTkhRVkZSUW1jM09IZEJVa0ZGU0hkM1pHRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eVVtd0tZMGRXZFZwSFJtbGlNMUYzUjBGWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVV0RVFXZDVUbnBOTUU1NlVUTk9ha0l5UW1kdmNrSm5SVVZCV1U4dlRVRkZVd3BDUjJkTldtMW9NR1JJUW5wUGFUaDJXakpzTUdGSVZtbE1iVTUyWWxNNWExcFlRbXhpYlZKb1dXMDVNRXd5VW14alIxWjFXa2RHYVdJelVYUlpNamw1Q2xwVE9IVmFNbXd3WVVoV2FVd3paSFpqYlhSdFlrYzVNMk41T1hCaVYwWnVXbGhOZEZsdVNtaGliVTV2VEc1c2RHSkZRbmxhVjFwNlRETkNNV0pIZDNZS1QxUlZNMDFUT1hSYVdFcHVXbFJCTkVKbmIzSkNaMFZGUVZsUEwwMUJSVlJDUTI5TlMwUkJNRnBVVVRCYVIwbDZUWHBOTTA1VVNYcE5SRlp0V21wRk1RcFBSRWt6VGpKRk0wMTZaRzFOYWxsM1drZEZNazU2VW0xTlZGRjNTRUZaUzB0M1dVSkNRVWRFZG5wQlFrWkJVVTlFUVhoM1pGZDRjMWd6U214aldGWnNDbU16VVhkWlFWbExTM2RaUWtKQlIwUjJla0ZDUmxGU1UwUkdRbTlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmFSMVozV2xjMWExbFhTbllLWkVNNWExcFlRbXhpYlZKb1dXMDVNRXhYVG5aamJWVjJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZaelJOVkVGNlRWUkJlVTU2YTNaWldGSXdXbGN4ZHdwa1NFMTJUVlJCVjBKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhVkZaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamRDU0d0QkNtUjNRakZCVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcWR6UkhjbUUwUVVGQlVVUUtRVVZaZDFKQlNXZEpUbFZPUVRaM1pFSkllU3Q2UXl0aVREQnhVR0ZNZDA5UmNWWXliVmRKY0c4eVNGZFJUWGxMTVZOclEwbEVkMmgwVTJOTFFXVnBOd3AzT0V3eGNWSTJTbkZGWW1WcU4wTjRhVTVFTUZod1MxZEpZMGREVlZKV1RVMUJiMGREUTNGSFUwMDBPVUpCVFVSQk1tZEJUVWRWUTAxUlJHVkpSekJGQ2tONmNuRjNTWEZvUTNBeWRubHhSSFpQYW1NeVZteHJjWEJwY0VKNVRXYzFPVTVuYlRocU1EWlRZVWRJTDBSdGJTdHFZelZEVmpGMlVtNWpRMDFETVdVS05rUlhUbXB3YjJWcVFVVm5PRkJySzFkc2RETkhPRTQwS3pGc2NYTmhVMk5aWW5sNE5sSjNPRXgyUmpZME16TlpRV2h5U2pSb1RHRTNRV1Z0V1hjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0ifX19fQ==",
          "integratedTime": 1713927270,
          "logIndex": 88201941,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "Issuer": "https://token.actions.githubusercontent.com",
      "Subject": "https://github.com/dependabot/dependabot-core/.github/workflows/images-branch.yml@refs/pull/9571/merge",
      "githubWorkflowName": "Branch images",
      "githubWorkflowRef": "refs/pull/9571/merge",
      "githubWorkflowRepository": "dependabot/dependabot-core",
      "githubWorkflowSha": "04e44db333752305ff158277a737f260da674f14",
      "githubWorkflowTrigger": "pull_request"
    }
  }
]

This allows us, and others, to verify where Dependabot container images were built.

Now that this is verified working, and backwards compatible, I think this can be merged and signing can be rolled out to the rest of the containers we push as well.

[JamieMagee]

I forgot to add that the signature is also published to our container registry. For the same bundler image I mentioned above:

ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513

The signature is available at:

ghcr.io/dependabot/dependabot-updater-bundler:sha256-32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513.sig