-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Start to sign image releases with cosign #203
Comments
If y'all are receptive to this, I'd be happy to send a PR with the above changes to the actions workflow, just let me know. |
The published image are in a different repository. Moving this issue there. |
I can help in the implementation |
That would be great, I had this on my radar anyway. We use goreleaser in this project, I believe there's an integration with cosign already. |
Yep, the implementation should be more straightforward :) |
@cpanato has forgotten more about |
PR: #207 also did others to updates some other things:
|
I commented in the relevant PR already, but our final images are scratch images already. The alpine base is being used only for build stages. |
I know that this issue is only about signing images. However, it would be good also to sign executables (especially for Windows and macOS). It looks like |
Is your feature request related to a problem? Please describe.
I'd like to be able to verify that the images we are consuming from
otel/opentelemetry-collector-contrib
on DockerHub were produced by this repo's release automation.Describe the solution you'd like
I'd like to see the workflow used to publish your images use
sigstore/cosign
keyless signing to sign the published images, e.g. like the actions sample here.There are three main pieces to this:
id-token: write
permissions to generate an identity token for the workflow:cosign
This can then be used with assorted policy controllers to verify that the images published to DockerHub were produced by
.github/workflows/build-and-test.yml
even if the static DockerHub credentials have been compromised.Describe alternatives you've considered
You could also use
sigstore/cosign
to sign the images using a static key pair. However, this requires managing another secret (the signing key), and publishing your own verification key. Some projects (e.g. Google distroless) are signing things both ways, at least for now.Additional context
No response
The text was updated successfully, but these errors were encountered: