Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify container image signatures using cosign #308

Open
JamieMagee opened this issue Apr 24, 2024 · 2 comments
Open

Verify container image signatures using cosign #308

JamieMagee opened this issue Apr 24, 2024 · 2 comments

Comments

@JamieMagee
Copy link
Contributor

Once dependabot/dependabot-core#9546 is completed for production images, we should verify the container image signatures.

This can be done with cosign. See sigstore's documentation on signature verification for information1, though we may be able to use cosign as a go library directly, instead of using the CLI.

Footnotes

  1. https://docs.sigstore.dev/verifying/verify/

@JamieMagee
Copy link
Contributor Author

JamieMagee commented Apr 29, 2024

Production images are now signed with cosign and can be verified

$ cosign verify \
  ghcr.io/dependabot/dependabot-updater-bundler:latest \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-latest.yml@refs/heads/main

Verification for ghcr.io/dependabot/dependabot-updater-bundler:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
...

@JamieMagee
Copy link
Contributor Author

OpenTelemetry containers are also signed with cosign:

$ cosign verify \
  docker.io/otel/opentelemetry-collector-contrib:latest \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/open-telemetry/opentelemetry-collector-releases/.github
/workflows/base-release.yaml@refs/tags/v0.99.0

Verification for index.docker.io/otel/opentelemetry-collector-contrib:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant