Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add container image signing to released images #2386

Closed
zroubalik opened this issue Dec 6, 2021 · 5 comments · Fixed by #2501 or #2504
Closed

Add container image signing to released images #2386

zroubalik opened this issue Dec 6, 2021 · 5 comments · Fixed by #2501 or #2504
Assignees
@zroubalik @JorTurFer
Labels
feature-request All issues for new features that have not been committed to stale-bot-ignore All issues that should not be automatically closed by our stale bot
Milestone
v2.6.0

Comments

@zroubalik
Copy link
Member

zroubalik commented Dec 6, 2021
edited
Loading

Proposal

Starting the new release we should support container image signing:

https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/

https://github.com/kedacore/keda/blob/main/.github/workflows/release-build.yml
@zroubalik zroubalik added help wanted Looking for support from community feature-request All issues for new features that have not been committed to stale-bot-ignore All issues that should not be automatically closed by our stale bot labels Dec 6, 2021
@zroubalik zroubalik added this to the v2.6.0 milestone Dec 6, 2021
@tomkerkhove
Copy link
Member

Agreed

@JorTurFer
Copy link
Member

+100

@tomkerkhove tomkerkhove removed this from the v2.6.0 milestone Jan 4, 2022
@zroubalik zroubalik added this to the v2.6.0 milestone Jan 21, 2022
@zroubalik zroubalik self-assigned this Jan 21, 2022
@zroubalik zroubalik mentioned this issue Jan 21, 2022
Merged
2 tasks
@zroubalik
Copy link
Member Author

cosing sign fails:

https://github.com/kedacore/keda/runs/4901065794?check_suite_focus=true

Run make sign-images
COSIGN_EXPERIMENTAL=*** cosign sign -a GIT_HASH=ba37a***7a***686be9fa6d2cb***5c9a34***ecc***404e54 -a GIT_VERSION=main -a BUILD_DATE=2022.0***.2***.***9.46.45 ghcr.io/kedacore/keda:main
Generating ephemeral keys...
Retrieving signed certificate...
Non-interactive mode detected, using device flow.
Enter the verification code SGHM-QTLM in your browser at: https://oauth2.sigstore.dev/auth/device?user_code=SGHM-QTLM
Code will be valid for 300 seconds
Error: signing [ghcr.io/kedacore/keda:main]: getting signer: getting key from Fulcio: retrieving cert: error obtaining token: expired_token
main.go:46: error during command execution: signing [ghcr.io/kedacore/keda:main]: getting signer: getting key from Fulcio: retrieving cert: error obtaining token: expired_token
make: *** [sign-images] Error ***
Makefile:***97: recipe for target 'sign-images' failed

@zroubalik zroubalik reopened this Jan 21, 2022
@zroubalik zroubalik removed the help wanted Looking for support from community label Jan 21, 2022
@JorTurFer
Copy link
Member

I think that there are some missing steps, I'll try in my own repo before open another PR

@JorTurFer JorTurFer self-assigned this Jan 21, 2022
@JorTurFer JorTurFer mentioned this issue Jan 21, 2022
Merged
5 tasks
@JorTurFer
Copy link
Member

The problem seems related with missing permission in GITHUB_TOKEN (basically it requires the GitHub OIDC)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zroubalik zroubalik

@JorTurFer JorTurFer

Labels
feature-request All issues for new features that have not been committed to stale-bot-ignore All issues that should not be automatically closed by our stale bot
Projects
None yet
Milestone
v2.6.0
3 participants
@zroubalik @tomkerkhove @JorTurFer