Sign images

[liangyuanpeng]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Let images of kamada signed with cosign.
It would be help with the implementation of supply chain security practices on the user side.

Which issue(s) this PR fixes:
Part1 of #3435

Special notes for your reviewer:

After sign you can see the signatures from command of cosign verify xxx

Just like that:

lan@lan:~/repo/git/karmada$ cosign verify lypgcs/karmada-search:sign_images

Verification for index.docker.io/lypgcs/karmada-search:sign_images --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"index.docker.io/lypgcs/karmada-search"},"image":{"docker-manifest-digest":"sha256:fbf94024ee3b06264a2ee8be92b3616d6a84ae5877f54723a863832e85771d16"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://token.actions.githubusercontent.com/","1.3.6.1.4.1.57264.1.2":"push","1.3.6.1.4.1.57264.1.3":"45e9d727f568060d783db370985cad8653740a29","1.3.6.1.4.1.57264.1.4":"released image to DockerHub","1.3.6.1.4.1.57264.1.5":"liangyuanpeng/karmada","1.3.6.1.4.1.57264.1.6":"refs/heads/sign_images","Bundle":{"SignedEntryTimestamp":"MEUCIQCINKsiQcsRiCdH+EIZpvA5SXW83d7VvXq67S2ObEFL9wIgRBePerdOgaGaMygVozOctdk5bbOsolYLlJk4BnJayDE=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1ODQ1MDUxZjg1OTY2YWY4YzkzZTE2ZWFmOGI5M2VkZWI1MjI4NjY0OWMzODljNzYwMWJmZjJlNDczMTdhYzE2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUQ1cjVnYjNXajhSS2x2bTBZcDVBbXN1WVg5R0tibmpCWjBva1U3cFNXcmRRSWhBTmRLOGVadjJnUGJHck5mVDVJYVRtL2NTRnNVQjM5WVlGVnZPZ2gwa3VYYSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaEdSRU5EUW5CdFowRjNTVUpCWjBsVlQyVkpObUpRVEdWNmJrTmthRzlLYmpsR1JVbHdhWEJMU0ZvMGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5kMDVFU1hkTlJFVjRUVlJOTWxkb1kwNU5hazEzVGtSSmQwMUVSWGxOVkUweVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZhWVdOalZXUnROMmxTU0RSNFJ6RlFVVlIxUWtkNVRERlVWUzlLVXpCWGRYaFRkVU1LZFd4YWFUUkpUR1JKVTNoVlJsQlRNMVJ4ZGtzd1JYRndibkZoWnpCU2FIRnhaVFV2TDJaaGFHTklaM28xZVZOVmIzRlBRMEppWjNkbloxY3dUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ4ZVdSUkNteGlia2REZURoQ1ZsQk1hVFJ0ZVRCSmVFTkJSQzl2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJaQldVUldVakJTUVZGSUwwSklTWGRqU1ZwMVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKNGNGbFhOVzVsV0Zab1ltNUNiQXBpYldOMllUSkdlV0pYUm10WlV6aDFXakpzTUdGSVZtbE1NMlIyWTIxMGJXSkhPVE5qZVRscllqSk9jbHBZU205a1YwbDBZMjFXYzFwWFJucGFWMUYwQ21GWE1XaGFNbFYxWlZjeGMxRklTbXhhYmsxMllVZFdhRnBJVFhaak1teHVZbXc1Y0dKWFJtNWFXRTEzVDFGWlMwdDNXVUpDUVVkRWRucEJRa0ZSVVhJS1lVaFNNR05JVFRaTWVUa3dZakowYkdKcE5XaFpNMUp3WWpJMWVreHRaSEJrUjJneFdXNVdlbHBZU21waU1qVXdXbGMxTUV4dFRuWmlWRUZUUW1kdmNncENaMFZGUVZsUEwwMUJSVU5DUVZKM1pGaE9iMDFFV1VkRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSUk1WcFViR3RPZWtreldtcFZNazlFUVRKTlIxRXpDazlFVG10WmFrMHpUVVJyTkU1WFRtaGFSR2N5VGxSTk0wNUVRbWhOYW10M1MxRlpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVXSmpiVlp6V2xkR2VscFhVV2NLWVZjeGFGb3lWV2RrUnpoblVrYzVhbUV5Vm5sVFNGWnBUVU5OUjBOcGMwZEJVVkZDWnpjNGQwRlJWVVZHVjNod1dWYzFibVZZVm1oaWJrSnNZbTFqZGdwaE1rWjVZbGRHYTFsVVFXdENaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSmFlVnBYV25wTU1taHNXVmRTZWt3elRuQmFNalZtWVZjeGFGb3lWbnBOUkhOSENrTnBjMGRCVVZGQ1p6YzRkMEZSWjBWTVVYZHlZVWhTTUdOSVRUWk1lVGt3WWpKMGJHSnBOV2haTTFKd1lqSTFla3h0WkhCa1IyZ3hXVzVXZWxwWVNtb0tZakkxTUZwWE5UQk1iVTUyWWxSQ0swSm5iM0pDWjBWRlFWbFBMMDFCUlVwQ1NFRk5ZbTFvTUdSSVFucFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVjd3BoVjBaMVdqTnNNVmxYTlhkYVZ6VnVUREowYUdOdE1XaGFSMFYyVEcxa2NHUkhhREZaYVRrellqTktjbHB0ZUhaa00wMTJXa2M1YW1FeVZubGhTRlpwQ2t4WVNteGlSMVpvWXpKV2EweFhiSFJaVjJSc1RHNXNkR0pGUW5sYVYxcDZUREpvYkZsWFVucE1NMDV3V2pJMVptRlhNV2hhTWxaNlRVUm5SME5wYzBjS1FWRlJRbWMzT0hkQlVXOUZTMmQzYjA1RVZteFBWMUV6VFdwa2JVNVVXVFJOUkZsM1drUmpORTB5VW1sTmVtTjNUMVJuTVZreVJtdFBSRmt4VFhwak1BcE5SMFY1VDFSQlpFSm5iM0pDWjBWRlFWbFBMMDFCUlV4Q1FUaE5SRmRrY0dSSGFERlphVEZ2WWpOT01GcFhVWGRQUVZsTFMzZFpRa0pCUjBSMmVrRkNDa1JCVVhGRVEyaHZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMllrZHNhR0p0WkRWa1YwWjFZMGRXZFZwNU9YSlpXRXAwV1ZkU2FFMUVaMGNLUTJselIwRlJVVUpuTnpoM1FWRXdSVXRuZDI5T1JGWnNUMWRSTTAxcVpHMU9WRmswVFVSWmQxcEVZelJOTWxKcFRYcGpkMDlVWnpGWk1rWnJUMFJaTVFwTmVtTXdUVWRGZVU5VVFXMUNaMjl5UW1kRlJVRlpUeTlOUVVWUFFrSm5UVVp1U214YWJrMTJZVWRXYUZwSVRYWmpNbXh1WW13NWNHSlhSbTVhV0UxM0NrZFJXVXRMZDFsQ1FrRkhSSFo2UVVKRWQxRk1SRUZyTVU1RVZYbE9SRkY2VFVSamQwMUJXVXRMZDFsQ1FrRkhSSFo2UVVKRlFWRnBSRU5DYjJSSVVuY0tZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFppUjJ4b1ltMWtOV1JYUm5WalIxWjFXbnBCV1VKbmIzSkNaMFZGUVZsUEwwMUJSVkpDUVc5TlEwUkpOQXBPZWtWNFRsUkJNRTFJTkVkRGFYTkhRVkZSUW1jM09IZEJVa2xGWTBGNGRXRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eWVIQlpWelZ1Q21WWVZtaGlia0pzWW0xamRtRXlSbmxpVjBacldWTTRkVm95YkRCaFNGWnBURE5rZG1OdGRHMWlSemt6WTNrNWEySXlUbkphV0VwdlpGZEpkR050Vm5NS1dsZEdlbHBYVVhSaFZ6Rm9XakpWZFdWWE1YTlJTRXBzV201TmRtRkhWbWhhU0UxMll6SnNibUpzT1hCaVYwWnVXbGhOZDA5QldVdExkMWxDUWtGSFJBcDJla0ZDUlhkUmNVUkRaekJPVjFVMVdrUmplVTR5V1RGT2FtZDNUbXBDYTA1NlozcGFSMGw2VG5wQk5VOUVWbXBaVjFFMFRtcFZlazU2VVhkWlZFazFDazFDVVVkRGFYTkhRVkZSUW1jM09IZEJVbEZGUW1kM1JXTklWbnBoUkVKaVFtZHZja0puUlVWQldVOHZUVUZGVmtKRk1FMVRNbWd3WkVoQ2VrOXBPSFlLV2pKc01HRklWbWxNYlU1MllsTTVjMkZYUm5WYU0yd3hXVmMxZDFwWE5XNU1NblJvWTIweGFGcEhSWFpaVjA0d1lWYzVkV041T1hsa1Z6VjZUSHBSTXdwT1JHdDZUMFJOTTAxRVJYWlpXRkl3V2xjeGQyUklUWFpOVkVOQ2FYZFpTMHQzV1VKQ1FVaFhaVkZKUlVGblVqbENTSE5CWlZGQ00wRk9NRGxOUjNKSENuaDRSWGxaZUd0bFNFcHNiazUzUzJsVGJEWTBNMnA1ZEM4MFpVdGpiMEYyUzJVMlQwRkJRVUpvTlhjeloyOXZRVUZCVVVSQlJXZDNVbWRKYUVGS1oxY0tXbmh2VEd0cVNIcHpVR1JDYmpkUFRuZHZTMUpJWVRWR1JGWjFWSFoyUTAxcmNVdDZXbUY0TjBGcFJVRjNNRWxGYURSb1NGVk9hM1J2UkdGUFVHZDBiUXBCYkZGNFltVmhPVk1yY1VWc1N6SlRTVXByVDFKM1JYZERaMWxKUzI5YVNYcHFNRVZCZDAxRVlWRkJkMXBuU1hoQlRESkRSREZaWlZkUmRXaHZiSE56Q21OWFJGUjFVRGxTZGxwUVJsaEZlREExYjNKa1RuWndLM1ZCUlZkMVVrY3ZXRGRNVERGSlVHSmFNMnRvUWs5T1FUQjNTWGhCU3pCT2JubFBlUzlQSzBnS1NsbHRVVXBzY1ZSNWRIVXdUWEZySzJscE0yWTVUMXBpT1doVlYwRnFVVkJhTURSWWJuQjFVVFpUV1c1SU9EQk9VamhvUWt4M1BUMEtMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0ifX19fQ==","integratedTime":1681953098,"logIndex":18429319,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com/","Subject":"https://github.com/liangyuanpeng/karmada/.github/workflows/dockerhub-released-image.yml@refs/heads/sign_images","githubWorkflowName":"released image to DockerHub","githubWorkflowRef":"refs/heads/sign_images","githubWorkflowRepository":"liangyuanpeng/karmada","githubWorkflowSha":"45e9d727f568060d783db370985cad8653740a29","githubWorkflowTrigger":"push"}}]

Also can be check the CI message from github action:

https://github.com/liangyuanpeng/karmada/actions/runs/4749383701/jobs/8436594750#step:8:140

Does this PR introduce a user-facing change?:

Use cosign to sign  Images of karmada.

[codecov-commenter]

Codecov Report

Merging #3434 (421d83c) into master (3c4ab2e) will decrease coverage by 0.02%.
The diff coverage is n/a.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

@@            Coverage Diff             @@
##           master    #3434      +/-   ##
==========================================
- Coverage   56.64%   56.62%   -0.02%     
==========================================
  Files         221      221              
  Lines       20832    20832              
==========================================
- Hits        11800    11796       -4     
- Misses       8410     8414       +4     
  Partials      622      622              

Flag	Coverage Δ
unittests	56.62% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

[RainbowMango]

/assign

I'm looking at it.

[RainbowMango]

@main means the master branch or the latest released version?

[RainbowMango]

I'd prefer to use a pinned version of cosign.

[liangyuanpeng]

You absolutely right,Change main to v3.0.3 (The latest version today)
Thanks for your review.

[RainbowMango]

What does this env mean? Is there any reference about it?

[liangyuanpeng]

It's mean use keyless signatures work in Cosign .

Doc from cosign:
https://docs.sigstore.dev/cosign/keyless/#keyless-verifying

[RainbowMango]

Can you help to explain in more detail about the id-token?

I can get some info from cosign-installer usage:

This action does not need any GitHub permission to run, however, if your workflow needs to update, create or perform any action against your repository, then you should change the scope of the permission appropriately.

For example, if you are using the gcr.io as your registry to push the images you will need to give the write permission to the packages scope.

[liangyuanpeng]

Need the permissions of id-token to auto get the OIDC Identity Tokens from github action if we use keyless signatures.It would be failed if github action have not this permissions.

It's not necessary if we sign with cert or use other OIDC provider.

Here is the doc: https://docs.sigstore.dev/cosign/keyless/#identity-tokens

...
+ cosign sign --yes -a run_id=4913600087 ***/karmada-operator:cosign
Generating ephemeral keys...
Retrieving signed certificate...
Non-interactive mode detected, using device flow.
Enter the verification code MSBL-QTPQ in your browser at: https://oauth2.sigstore.dev/auth/device?user_code=MSBL-QTPQ
Code will be valid for 300 seconds
Error: signing [***/karmada-operator:cosign]: getting signer: getting key from Fulcio: retrieving cert: error obtaining token: expired_token
main.go:74: error during command execution: signing [***/karmada-operator:cosign]: getting signer: getting key from Fulcio: retrieving cert: error obtaining token: expired_token

[zishen]

sorry, I found the newest cosign is 2.0.2. Can you give me the url?

[liangyuanpeng]

This is the cosign-installer version and not cosign version.
https://github.com/sigstore/cosign-installer

[zishen]

Thanks, good.
And I think this feature timely make up for karmada shortcomings in image verification.

Can you explain how to use in customer env in doc？

[liangyuanpeng]

Can you explain how to use in customer env in doc？

Check links from issue #3435 .

It's the same thing.

• https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/

[liangyuanpeng]

@zishen I'm change cosign version to v1.13.1 for consistent behavior with https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/ . Thanks for your check.

[ikaven1024]

This script maybe ran in some guy's private CI enviromment without cosign command.

[liangyuanpeng]

You're right, we can skip sign image when have not command of cosign.

[RainbowMango]

Thanks @ikaven1024 for the reminder.
If guys want to build the image and push it to their private registry, we shouldn't force them to sign the images with cosign.

[RainbowMango]

kindly ping @liangyuanpeng

You're right, we can skip sign image when have not command of cosign.

Can we go with the approach that make images does not sign the image by default? We can have an environment variable to indicate it to sign the image.

[liangyuanpeng]

@RainbowMango Updated, PTAL,Thanks.

[RainbowMango]

Thanks. Sorry for letting this sit so long. I'll look at it as soon as possible.

[RainbowMango]

Thanks. I'll test it on my side.

[RainbowMango]

/lgtm
/approve

Thanks @liangyuanpeng !

[karmada-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [RainbowMango]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[RainbowMango]

Hi @liangyuanpeng The CI is failing on master after this PR, could you please take a look?
https://github.com/karmada-io/karmada/actions/runs/5287357476/jobs/9568154587

[RainbowMango]

Just echo the error message here:

INFO: Downloading cosign public key 'v1.13.1' of cosign...
    https://raw.githubusercontent.com/sigstore/cosign/v1.13.1/release/release-cosign.pub
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob.
INFO: Using bootstrap cosign to verify signature of desired cosign version
Error: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 3.root.json: Get "https://tuf-repo-cdn.sigstore.dev/3.root.json": dial tcp: lookup tuf-repo-cdn.sigstore.dev on 127.0.0.53:53: read udp 127.0.0.1:42557->127.0.0.53:53: i/o timeout
remote status:{
	"mirror": "https://tuf-repo-cdn.sigstore.dev/",
	"metadata": {
		"root.json": {
			"version": 7,
			"len": 5404,
			"expiration": "04 Oct 23 13:08 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 90,
			"len": 2303,
			"expiration": "03 Jul 23 16:03 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 7,
			"len": 5[252](https://github.com/karmada-io/karmada/actions/runs/5287357476/jobs/9568154587#step:4:254),
			"expiration": "04 Oct 23 13:26 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 90,
			"len": 721,
			"expiration": "26 Jun 23 16:03 UTC",
			"error": ""
		}
	}
}
main.go:74: error during command execution: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 3.root.json: Get "https://tuf-repo-cdn.sigstore.dev/3.root.json": dial tcp: lookup tuf-repo-cdn.sigstore.dev on 127.0.0.53:53: read udp 127.0.0.1:4[255](https://github.com/karmada-io/karmada/actions/runs/5287357476/jobs/9568154587#step:4:257)7->127.0.0.53:53: i/o timeout
remote status:{
	"mirror": "https://tuf-repo-cdn.sigstore.dev/",
	"metadata": {
		"root.json": {
			"version": 7,
			"len": 5404,
			"expiration": "04 Oct 23 13:08 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 90,
			"len": 2[303](https://github.com/karmada-io/karmada/actions/runs/5287357476/jobs/9568154587#step:4:305),
			"expiration": "03 Jul 23 16:03 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 7,
			"len": 5252,
			"expiration": "04 Oct 23 13:26 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 90,
			"len": 721,
			"expiration": "26 Jun 23 16:03 UTC",
			"error": ""
		}
	}
}