Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preserve original signatures from promoted images #542

Merged
merged 3 commits into from
Apr 7, 2022
Merged

Preserve original signatures from promoted images #542

merged 3 commits into from
Apr 7, 2022

Conversation

puerco
Copy link
Member

@puerco puerco commented Apr 7, 2022
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

This commit implements the CopySignatures() function which takes care of copying signatures from the original images to the newly promoted destinations.

Signed-off-by: Adolfo García Veytia (Puerco) [email protected]

Which issue(s) this PR fixes:

Part of kubernetes/release#2383

Special notes for your reviewer:

The previous copySignatures() internal function has been renamed to replicateSignatures() to avoid confusion

/assign @justaugustus @cpanato @saschagrunert

Does this PR introduce a user-facing change?

The image promoter will now carry existing image signatures to the destination registries and append the new signatures to them when signing with the promoter idenity

puerco added 3 commits April 6, 2022 20:50
@puerco
Rename copySignatures to replicateSignatures
5b88178 
There was a naming clash as CopySignature expressed two
different  actions. This commit renames the internal function
to replicateSignatures which denotes replicating one signature
to all mirrors.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Implement imagepromoter.CopySignatures
4fcc285 
This commit implements the CopySignatures function which takes care
of copying signatures from the original images to the newly promoted
destination.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Improve signature replication logic
c142e2f 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Apr 7, 2022
@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Apr 7, 2022
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/artifacts Issues or PRs related to the hosting of release artifacts for subprojects labels Apr 7, 2022
@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject approved Indicates a PR has been approved by an approver from all required OWNERS files. sig/release Categorizes an issue or PR as relevant to SIG Release. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 7, 2022
@puerco puerco mentioned this pull request Apr 7, 2022
Closed
@puerco
Copy link
Member Author

puerco commented Apr 7, 2022

Sample output verifying an image with two signatures

Note the two identities:

"Subject": "[email protected]" // Sigstore
"Subject": "[email protected]" // My test account

Full output

COSIGN_EXPERIMENTAL=1 cosign verify us.gcr.io/k8s-cip-test-prod/canary/sigstore-mirror/cosigned:v1.7.1  | jq
Verification for us.gcr.io/k8s-cip-test-prod/canary/sigstore-mirror/cosigned:v1.7.1 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[
  {
    "critical": {
      "identity": {
        "docker-reference": "gcr.io/projectsigstore/cosigned"
      },
      "image": {
        "docker-manifest-digest": "sha256:45d88f483c2eeaab4a4437cb0990705f285625d9968c3d6a0419a0b88e5668d3"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEQCICPTMriYYAlAMGEGV2x1N1V3LIB0vX3QQsAlJprIaLArAiAxZlqsmQOdTYgFZIEgaZlxj/adAO9tXdXWLaUBLf4X7A==",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJhZTNiYzkxMjBjODhkODQzODU2ZDE0NWIzNWZjMmVkNDIxYjEwY2ExNjRhYzc1MWQ3ZmFhNDQ2ZmE5MWVjZTc3In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUREOGFlamRKaFBVYkxaYjM2VUxsT1MwcXY4TVhyTnVvVmdRclQzTjZ1aGFnSWhBTVNiTjRBeGIvZ3pSYjJxMFEwd2dYR0lJcHhHU3M3VloxUU5yRkZVRGdQYiIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTk1ha05EUVdKUFowRjNTVUpCWjBsVlFWQXZPVVpsWkZoYVRrMVdaR3BJYTFadVZtNTZNblEyZG1wSmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1MycEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWtWM1JIZFpSRlpSVVVSRmQyaDZZVmRrZW1SSE9YbGFWRUZsUm5jd2VRcE5ha0V3VFVSVmVFNTZVWGhOZWxKaFJuY3dlVTFxUVRCTlJGVjRUbnBWZUUxNlRtRk5RVUYzVjFSQlZFSm5ZM0ZvYTJwUFVGRkpRa0puWjNGb2EycFBDbEJSVFVKQ2QwNURRVUZVU0VWWE0xZEhWRFZyVHpoQ09FSmhNbTVyU0ZaRFNuQlpSVVJPVFdFME1HOHZRbHBsVTNreWNtSmlLM0ZQVDBrekwySkdUelVLZDFwTVJtWXphSEp5V1RCNmRqTkNObkUyVW5ka2FFaExPVGt5VWxaeFZHNXZORWhuVFVsSVpFMUJORWRCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkFwQ1owNVdTRk5WUlVSRVFVdENaMmR5UW1kRlJrSlJZMFJCZWtGTlFtZE9Wa2hTVFVKQlpqaEZRV3BCUVUxQ01FZEJNVlZrUkdkUlYwSkNVblpGYmxkRENtdHhhREpHZUVobGRqRk9ObXdyVFU1d1RuRlNZMVJCWmtKblRsWklVMDFGUjBSQlYyZENVbGwzUWpWbWExVlhiRnB4YkRaNlNrTm9hM2xNVVV0eldFWUtLMnBCT1VKblRsWklVa1ZDUVdZNFJVMTZRWGhuVXpseVdsaHNjMXBZVG5wUlNFSjVZakp3YkZrelVucGhWMlI2WkVjNWVWcFROWEJaVnpCMVdqTk9iQXBqYmxwd1dUSldhRmt5VG5aa1Z6VXdURzFPZG1KVVFYQkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrSjBiMlJJVW5kamVtOTJUREpHYWxreU9URmlibEo2Q2t4dFpIWmlNbVJ6V2xNMWFtSXlNSGREWjFsSlMyOWFTWHBxTUVWQmQwMUVZVkZCZDFwblNYaEJUSEZNY1VGdVJsVklXV2hJTkdoM1EwZFVkMFJwSzNnS1V6QlZOa05sUzBoSVJXTmtZbUZoV21Wd09WVnJlVUV3V1RCaU9UYzFNVVJxYkVGeVVVTlVhbWgzU1hoQlRYQldSV0ZzTVZab1VuRmtOR1k1UVZoNmVncHBWMlZqTVdoQmJtcEdTVVF2TlhWcE5YaG5Sek5DYzBGelluTllWa1Z0VGpSbE5GcHZTMGt2T0RKVWEwRlJQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0=",
          "integratedTime": 1649180495,
          "logIndex": 1908207,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "GIT_HASH": "53c28e44f10548c8839d4c72e5909fa74e08b5f6",
      "GIT_VERSION": "v1.7.1",
      "Issuer": "https://accounts.google.com",
      "Subject": "[email protected]"
    }
  },
  {
    "critical": {
      "identity": {
        "docker-reference": "us.gcr.io/k8s-cip-test-prod/canary/sigstore/cosigned"
      },
      "image": {
        "docker-manifest-digest": "sha256:45d88f483c2eeaab4a4437cb0990705f285625d9968c3d6a0419a0b88e5668d3"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEQCIHmI3kppyo9+VHkXYZ14Uov0BkWiJnwlh4iaC0P0hyMOAiB3cZ/rjfBmw94hmSy45nmtmzvLgUDh+7pn/29J9esKTg==",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1ZjZkZWQ0NzBjMjBiODc2NWU3MTI0ZmNjNDQxMTY5OTExZWIyODdiMTU2OGM4ZDJkZjljMmY0ZjcxYzg4OWUwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJREVuUml0OVBzU2RoNTdMMXZ5cnc3aDRLZDlIWk9IY0tMTmdvcVM5S3UveUFpQWF3cm1KWnlBV3plbndYSDBMellOb1JINGRlZWduVHNuVGt1MzJkVFBXVGc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTk9SRU5EUVdKdFowRjNTVUpCWjBsVlFVcHJTVUkyWVV0eFJWRnZRalpNTkZoSlNWbFVjVGszU1hWRmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1MycEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWtWM1JIZFpSRlpSVVVSRmQyaDZZVmRrZW1SSE9YbGFWRUZsUm5jd2VRcE5ha0V3VFVSamQwMTZVWGRPUkVwaFJuY3dlVTFxUVRCTlJHTjNUWHBWZDA1RVJtRk5RVUYzVjFSQlZFSm5ZM0ZvYTJwUFVGRkpRa0puWjNGb2EycFBDbEJSVFVKQ2QwNURRVUZTSzJodlJXVnpZMlZUU1Vsbkx6RnNZMXBhUm1WVE9VVjBaVFZLZERKaVpWVjFVek5hZFVRNFJIbHVkVWw0VDBoMVZ6VlRZa1FLZERORVRYa3ljMkpaSzJNeGRYaE5Oa1Z1Vms4NVZqYzJiall5ZEcwNGJVZHZORWh0VFVsSWFrMUJORWRCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkFwQ1owNVdTRk5WUlVSRVFVdENaMmR5UW1kRlJrSlJZMFJCZWtGTlFtZE9Wa2hTVFVKQlpqaEZRV3BCUVUxQ01FZEJNVlZrUkdkUlYwSkNVVEZ5YkRSQ0NpdEVjR1JrWjFoM1VGTlBiRlpqYjNGSlNTOUJZMnBCWmtKblRsWklVMDFGUjBSQlYyZENVbGwzUWpWbWExVlhiRnB4YkRaNlNrTm9hM2xNVVV0eldFWUtLMnBDUkVKblRsWklVa1ZDUVdZNFJVOVVRVE5uVkZZd1dsaE9NRXhZVG5CYU1qVnNZMnRDTVdKSFJtbGplVEZxWWtjNU1WcERNVEJhV0U0d1kzazFjQXBaVnpCMVdqTk9iR051V25CWk1sWm9XVEpPZG1SWE5UQk1iVTUyWWxSQmNFSm5iM0pDWjBWRlFWbFBMMDFCUlVKQ1FuUnZaRWhTZDJONmIzWk1Na1pxQ2xreU9URmlibEo2VEcxa2RtSXlaSE5hVXpWcVlqSXdkME5uV1VsTGIxcEplbW93UlVGM1RVUmhVVUYzV21kSmVFRkpTWHBTTXpWNFluVjZXVlJwWjNBS05UZDRVa3RDV1RkNGNYWjZaVkE1SzI0NE5ubGhiaXRSVjNSSFRUWXJlRkZKYW1Gc05rRXZNbVU0ZWxsYU56ZE1RM2RKZUVGT1VXaGFkVlk1VDBwTGJncE9NMUJNZDBKQ2FFcFNkMlJDWldjemFWZ3dhRXNyYzFKa05uaElSR05rVlhsU2JteDBTWFpaV0hsTFpVMXVNM2Q0ZUhreVRHYzlQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09In19fX0=",
          "integratedTime": 1649302844,
          "logIndex": 1930993,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "Issuer": "https://accounts.google.com",
      "Subject": "[email protected]",
      "org.kubernetes.kpromo.mirrors": "us.gcr.io/k8s-cip-test-prod/canary/sigstore/cosigned,us.gcr.io/k8s-cip-test-prod/canary/sigstore-mirror/cosigned"
    }
  }
]

@puerco puerco mentioned this pull request Apr 7, 2022
Closed
12 tasks
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 7, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: puerco, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [puerco,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 5a31723 into kubernetes-sigs:main Apr 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@cpanato cpanato Awaiting requested review from cpanato

@jeremyrickard jeremyrickard Awaiting requested review from jeremyrickard

Assignees

@justaugustus justaugustus

@saschagrunert saschagrunert

@cpanato cpanato

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/artifacts Issues or PRs related to the hosting of release artifacts for subprojects area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@puerco @k8s-ci-robot @saschagrunert @justaugustus @cpanato