Container image signing for windows and linux images (#570)

* Removing duplicate alerts from ci recommended alerts

* Remove test branch

* Add label limits for pod annotations default config

* Test image signing with test keycode

* change service name

* test

* update esrp name

* add oras

* update

* update

* update dotnet version

* test

* test only linux build

* upgrade to dotnet 6

* update

* update

* update esrp version

* test

* remove use dotnet and use esrp 3

* remove use dotnet and use esrp 2

* remove use dotnet and use esrp 2

* remove use dotnet and use esrp 3 , test only esrp

* install oras cli

* correct bug

* change branch name

* update dockerfile

* Use oras instead of azcu wrapper to attach signature

* test

* Update windows image signing

* fix the payload powershell command windows

* changes to payload step

* reorder

* test reorder

* testing reorder

* change step of payload inside build image step

* update ps script

* test commit

* test commit only windows

* see payload content

* correct powershell oras commands

* remove quotes from ps command for oras attach

* use powershell script in same block

* Container image signing for windows and linux images

* Add doc with details on signing

* remove personal branch

* add personal branch

* test

* update build condition

.pipelines/azure-pipeline-build.yml

@@ -196,9 +196,53 @@ jobs:
           # Load in amd64 image to run vulnerability scan
           docker buildx build . --file ./build/linux/Dockerfile -t $(LINUX_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/linux/metadata.json
         fi
+        MEDIA_TYPE=$(docker manifest inspect -v $(LINUX_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType')
+        DIGEST=$(docker manifest inspect -v $(LINUX_FULL_IMAGE_NAME) | jq '.Descriptor.digest')
+        SIZE=$(docker manifest inspect -v $(LINUX_FULL_IMAGE_NAME) | jq '.Descriptor.size')
+        cat <<EOF >>$(Build.ArtifactStagingDirectory)/linux/payload.json
+        {"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}}
+        EOF
       workingDirectory: $(Build.SourcesDirectory)/otelcollector/
       displayName: "Build: build and push image to dev ACR"
 
+    - task: EsrpCodeSigning@3
+      displayName: "ESRP CodeSigning for Prometheus"
+      inputs:
+        ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages"
+        FolderPath: $(Build.ArtifactStagingDirectory)/linux/
+        Pattern: "*.json"
+        signConfigType: inlineSignParams
+        inlineOperation: |
+          [
+            {
+                "keyCode": "CP-469451",
+                "operationSetCode": "NotaryCoseSign",
+                "parameters": [
+                  {
+                    "parameterName": "CoseFlags",
+                    "parameterValue": "chainunprotected"
+                  }
+                ],
+                "toolName": "sign",
+                "toolVersion": "1.0"
+            }
+          ]
+
+    - bash: |
+        set -euxo pipefail
+        curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz"
+        mkdir -p oras-install/
+        tar -zxf oras_1.0.0_*.tar.gz -C oras-install/
+        sudo mv oras-install/oras /usr/local/bin/
+        rm -rf oras_1.0.0_*.tar.gz oras-install/
+        oras attach $(LINUX_FULL_IMAGE_NAME) \
+          --artifact-type 'application/vnd.cncf.notary.signature' \
+          ./payload.json:application/cose \
+          -a "io.cncf.notary.x509chain.thumbprint#S256=[\"659AAA9C0E822B4B20A964AA0178BD9419A50530\"]"
+      workingDirectory: $(Build.ArtifactStagingDirectory)/linux/
+      displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/linux/"
+      condition: eq(variables.IS_MAIN_BRANCH, true)
+
     - bash: |
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
         trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(LINUX_FULL_IMAGE_NAME)
@@ -371,7 +415,7 @@ jobs:
         docker manifest create $(WINDOWS_FULL_IMAGE_NAME) $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2019_BASE_IMAGE_VERSION) $(WINDOWS_FULL_IMAGE_NAME)-$(WINDOWS_2022_BASE_IMAGE_VERSION)
         docker manifest push $(WINDOWS_FULL_IMAGE_NAME)
       workingDirectory: $(Build.SourcesDirectory)/otelcollector/
-      displayName: "Build: Triggering manigest for multi-arc docker image"
+      displayName: "Build: Triggering manifest for multi-arc docker image"
 
     - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
       condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true))
@@ -380,6 +424,59 @@ jobs:
         BuildDropPath: '$(Build.ArtifactStagingDirectory)/windows'
         DockerImagesToScan: '$(WINDOWS_FULL_IMAGE_NAME)'
 
+    - powershell: |
+        $output = docker manifest inspect -v $(WINDOWS_FULL_IMAGE_NAME) | ConvertFrom-Json
+        $firstManifest = $output[0]
+        $MEDIA_TYPE = $firstManifest.Descriptor.mediaType
+        $DIGEST = $firstManifest.Descriptor.digest
+        $SIZE = $firstManifest.Descriptor.size
+        $payload = @{
+            targetArtifact = @{
+                mediaType = $MEDIA_TYPE
+                digest = $DIGEST
+                size = $SIZE
+            }
+        } | ConvertTo-Json
+
+        $payload | Out-File -FilePath "$(Build.ArtifactStagingDirectory)/windows/payload.json"
+      workingDirectory: $(Build.ArtifactStagingDirectory)/windows
+      displayName: "Build the payload json file"
+
+    - task: EsrpCodeSigning@3
+      displayName: 'ESRP CodeSigning for Prometheus'
+      inputs:
+        ConnectedServiceName: 'ESRPServiceConnectionForPrometheusImages'
+        FolderPath: '$(Build.ArtifactStagingDirectory)/windows'
+        Pattern: '*.json'
+        signConfigType: inlineSignParams
+        inlineOperation: |
+          [
+            {
+                "keyCode": "CP-469451",
+                "operationSetCode": "NotaryCoseSign",
+                "parameters": [
+                  {
+                    "parameterName": "CoseFlags",
+                    "parameterValue": "chainunprotected"
+                  }
+                ],
+                "toolName": "sign",
+                "toolVersion": "1.0"
+            }
+          ]
+
+    - powershell: |
+        curl.exe -sLO  "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_windows_amd64.zip"
+        $currentDirectory = Get-Location
+        Expand-Archive -Path $currentDirectory\oras_1.0.0_windows_amd64.zip -DestinationPath . -Force
+        New-Item -ItemType Directory -Force -Path $env:USERPROFILE\bin
+        Copy-Item -Path $currentDirectory\oras.exe -Destination "$env:USERPROFILE\bin\"
+        $env:PATH = "$env:USERPROFILE\bin;$env:PATH"
+        oras attach $(WINDOWS_FULL_IMAGE_NAME) --artifact-type application/vnd.cncf.notary.signature ./payload.json:application/cose -a io.cncf.notary.x509chain.thumbprint#S256=[\""659AAA9C0E822B4B20A964AA0178BD9419A50530\""]
+      workingDirectory: $(Build.ArtifactStagingDirectory)/windows
+      displayName: "Download, install Oras and run oras attach"
+      condition: eq(variables.IS_MAIN_BRANCH, true)
+
     - task: PublishBuildArtifacts@1
       condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true))
       displayName: "Ev2: publish image artifacts"

internal/docs/ESRPCodeSign.md

@@ -0,0 +1,11 @@
+I have followed this [doc](https://eng.ms/docs/more/containers-secure-supply-chain/signing).
+[This](https://ms.portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/quickStartType~/null/sourceType/Microsoft_AAD_IAM/appId/73f8d5f9-b507-497f-b698-4ed00fcba5a3/objectId/cd14f76f-2797-4192-927e-65b7e37e9c26/isMSAApp~/false/defaultBlade/Overview/appSignInAudience/AzureADMyOrg/servicePrincipalCreated~/true) is the ESRP app registration created for ESRP connection, [it](https://ms.portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Credentials/quickStartType~/null/sourceType/Microsoft_AAD_IAM/appId/73f8d5f9-b507-497f-b698-4ed00fcba5a3/objectId/cd14f76f-2797-4192-927e-65b7e37e9c26/isMSAApp~/false/defaultBlade/Overview/appSignInAudience/AzureADMyOrg/servicePrincipalCreated~/true) has the client secret authentication key for the AAD App ID which is used by the ADO task.
+
+[This](https://github-private.visualstudio.com/azure/_settings/adminservices?resourceId=91213571-9b46-4675-91d5-fd997630bda6) is the service connection created for ESRP. All these steps are given [here](https://microsoft.sharepoint.com/teams/prss/Codesign/SitePages/ESRP%20ADO.aspx).
+
+[This](https://portal.esrp.microsoft.com/Onboarding/AccountDetails?clientId=73f8d5f9-b507-497f-b698-4ed00fcba5a3) is the ESRP registration client created for signing Prometheus images. The approved ESRP sign key code CP-469451 is used for signing as mentioned in [doc](https://eng.ms/docs/more/containers-secure-supply-chain/signing).
+
+For verification of signing we can do through 2 ways.
+
+1. Locally through the doc https://eng.ms/docs/more/containers-secure-supply-chain/signing under validation section using notation. We have to use our own [certificate](https://ms.portal.azure.com/#view/Microsoft_Azure_KeyVault/ListObjectVersionsRBACBlade/~/overview/objectType/certificates/objectId/https%3A%2F%2Fesrpprometheuskv.vault.azure.net%2Fcertificates%2FESRPReqPrometheusCert/vaultResourceUri/%2Fsubscriptions%2F9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb%2FresourceGroups%2FESRPPrometheus%2Fproviders%2FMicrosoft.KeyVault%2Fvaults%2FESRPPrometheusKV/vaultId/%2Fsubscriptions%2F9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb%2FresourceGroups%2FESRPPrometheus%2Fproviders%2FMicrosoft.KeyVault%2Fvaults%2FESRPPrometheusKV) instead of the one in the example.
+2. We can do a docker pull on the signed images and it will not have the following error message - "manifest verification failed for digest sha256..."