Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

util: verify provenance #2110

Merged
merged 1 commit into from
Oct 14, 2024
Merged

util: verify provenance #2110

merged 1 commit into from
Oct 14, 2024

Conversation

mkulke
Copy link
Collaborator

@mkulke mkulke commented Oct 11, 2024

This is prep-work to consume binaries with attestation from guest-components (#2074) The tool asserts that the OCI image has been built on the specified repo with a push on the main branch and the specified digest matches the git sha of the source code and of the workflow.

Note: such a verification is only solid when performed for an oci image w/ digest, since the tags are mutable. we want to resolve a tag to a digest uri and then verify and pull that digest uri. (oras resolve image:tag)

$ cd src/cloud-api-adaptor
$ ./hack/verify-provenance.sh \
  -a ghcr.io/confidential-containers/guest-components/api-server-rest@sha256:0d2f600490caddb024c4e1e4c9d512c38a0d38e20131dd74702e6dfa4c6890b1 \
  -r confidential-containers/guest-components \
  -d d8da69072424e496486dfb5421a26f16ff2a7abf
Verification passed

@mkulke mkulke requested a review from a team as a code owner October 11, 2024 10:37
@mkulke mkulke force-pushed the mkulke/add-verify-provenance-helper branch 2 times, most recently from 6475f94 to da4d86c Compare October 11, 2024 10:41
stevenhorsman
stevenhorsman approved these changes Oct 11, 2024
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. I've tried positive and negative cases locally with and without the -g mode and it seems to work in them. Great job @mkulke!

src/cloud-api-adaptor/hack/verify-provenance.sh Show resolved Hide resolved
bpradipt
bpradipt approved these changes Oct 14, 2024
View reviewed changes
Copy link
Member

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@mkulke
util: verify provenance
d399589 
This is prep-work to consume binaries with attestation from
guest-components. The tool asserts that the OCI image has been built on
the specified's repo with a push on a main branch and the specified
digest matches the git sha of the source code and workflow.

```bash
$ cd src/cloud-api-adaptor
$ ./hack/verify-provenance.sh \
    -a ghcr.io/...@sha256:1234 \
    -r confidential-containers/guest-components \
    -d d8da69072424e496486dfb5421a26f16ff2a7abf
Verification passed
```

Signed-off-by: Magnus Kulke <[email protected]>
@mkulke mkulke force-pushed the mkulke/add-verify-provenance-helper branch from da4d86c to d399589 Compare October 14, 2024 06:21
@mkulke mkulke merged commit adf5ee7 into confidential-containers:main Oct 14, 2024
19 checks passed
@mkulke mkulke deleted the mkulke/add-verify-provenance-helper branch October 14, 2024 06:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevenhorsman stevenhorsman stevenhorsman approved these changes

@bpradipt bpradipt bpradipt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mkulke @bpradipt @stevenhorsman