Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker:Sign docker images without keys and push to ghcr.io #5818

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

docker:Sign docker images without keys and push to ghcr.io #5818

wants to merge 1 commit into from

Conversation

naveensrinivasan
Copy link
Contributor

@naveensrinivasan naveensrinivasan commented Oct 2, 2021
edited
Loading

Sign docker images without keys and push to ghcr.io

Sign docker containers without using keys. This uses GitHub as an OIDC provider and signs the image.https://github.com/sigstore/cosign/blob/main/KEYLESS.md, when there aren't keys like

lnd/.github/workflows/docker.yml

Line 30 in c43b9e4

password: ${{ secrets.DOCKER_API_KEY }}
then it is not likely to be compromised. Though that in the code is using for it being pushed into the registry.

This solves #5728

Docker Image validated

These images are signed which means they can be validated. This can potentially replace verify-install #5780

Here is the validation of the signature.

COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/naveensrinivasan/lnd
No TUF root installed, using embedded CA certificate.
No TUF root installed, using embedded rekor key

Verification for ghcr.io/naveensrinivasan/lnd:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[
   {
      "critical":{
         "identity":{
            "docker-reference":"ghcr.io/naveensrinivasan/lnd"
         },
         "image":{
            "docker-manifest-digest":"sha256:fcc31d459fddc0986570ae51236c7532693fa32006ad704751499a90ca9ca743"
         },
         "type":"cosign container image signature"
      },
      "optional":{
         "Bundle":{
            "SignedEntryTimestamp":"MEQCIDzQLsa9UcMxqnuVxm+eX6/URZvjqcOLyITik3vIsl13AiA3aj8MflSiCVHerFUGViXGqs9tiNEneox/qihtKun8qg==",
            "Payload":{
               "body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJzcGVjIjp7ImRhdGEiOnsiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjU0YzFkNGViMTBkODMyNDUzYmY3YTE0MjkzZTgxNTMwYjlmM2Q2M2UzYzI0NTYzNjVjNTQ5YWU2YzdkOWIyYzkifX0sInNpZ25hdHVyZSI6eyJjb250ZW50IjoiTUVVQ0lGQkYycG50bkpGRFc4NHVjSDhtbEtCRXVrYTNRNm5nVWhOV0VqQUhMT1pZQWlFQThOc2FzL2JjWTBDZHl3NDhXZGllcWZ1VXBZbFF1ZXNNeTRjRkpqdlRxeUE9IiwiZm9ybWF0IjoieDUwOSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjNha05EUVd0bFowRjNTVUpCWjBsVlFVcExXVUZhVGtVdk1rbFlRMUJLZEVVM2RVMDJObEpRZUhSSmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1MycEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWtWM1JIZFpSRlpSVVVSRmQyaDZZVmRrZW1SSE9YbGFWRUZsUm5jd2VRcE5WRVYzVFVSSmQwMVVTWGhPVkU1aFJuY3dlVTFVUlhkTlJFbDNUVlJSZUU1VVNtRk5RVUYzVjFSQlZFSm5ZM0ZvYTJwUFVGRkpRa0puWjNGb2EycFBDbEJSVFVKQ2QwNURRVUZSVlZaNGVFWjFhWFpJV1VOeEx6Sm1kR1ZNZGt0VGJVaDBPRWszZVhKbWRrMXpUamhqYUd4d2NFaHpPV3hrWVhOR1pIRXhXallLVEVsb1prRkdlWEZvYUVwbFlrczBXR3AxVURSclRHcFZhVzFzVW5KMFVtZHZORWxDWTNwRFEwRlhPSGRFWjFsRVZsSXdVRUZSU0M5Q1FWRkVRV2RsUVFwTlFrMUhRVEZWWkVwUlVVMU5RVzlIUTBOelIwRlJWVVpDZDAxRVRVRjNSMEV4VldSRmQwVkNMM2RSUTAxQlFYZElVVmxFVmxJd1QwSkNXVVZHVFdGcUNtSlBVMjEyY21SalFUUm5jRGQ1Uldod2VUSjZSbGN5VGsxQ09FZEJNVlZrU1hkUldVMUNZVUZHVFdwR1NGRkNRbTFwVVhCTmJFVnJObmN5ZFZOMU1Vc0tRblJRYzAxSlIwNUNaMmR5UW1kRlJrSlJZMEpCVVZOQ1owUkNLMDFJZDBkRFEzTkhRVkZWUmtKNlFVTm9ia0p2WkVoU2QwOXBPSFpqU0Vwd1pHMUdNQXBhVjA1b1RGZE9kbUp1VW14aWJsRjBUbXBCZWxwdFZUTmFWR04wVFVSQmQwMURNSGxOYWtrelRGZEtiVTU2VlhSYWFsSnRUbGRWTkUxSFVYbFBWRlV3Q2t4dVRqQmlNMHBvV2pKVmRWb3lPWFphTW5oc1dWaENjR041TldwaU1qQjJXVEpGZWs1dFJYaGFWR3N5VFdwUmVWbHFiRzFaTWtsNFRrUlpkbGt5UlhVS1dUTktNRTFIYjBkQk1WVmtSVkZGUWk5M1VtZE5SalpIV0Vkb01HUklRbnBQYVRoMldqSnNNR0ZJVm1sTWJVNTJZbE01ZFZsWVdteGFWelY2WTIxc2RRcGhXRnBvWXpKR2RVd3llSFZhUXpoMVdqSnNNR0ZJVm1sTU0yUjJZMjEwYldKSE9UTmplVGxyWWpKT2NscFlTWFJqTW14dVltazFOV0pYZUVGamJWWnRDbU41T1hka1YzaHpUSHBGTkV3eU1XeGpiV1JzVFVGdlIwTkRjVWRUVFRRNVFrRk5SRUV5YTBGTlIxbERUVkZEUm1KSVVqVlpTQ3RoUVdFcmIyNDBhVFFLTWtFNFNGVnJURU5aVW1KRVJFRllRVkJqVEU5QldYTkRhVWRpUlU4d1RETTBPVkk0WVVOdWNVTndUVTkyZEUxRFRWRkVPR1V4YWtSdmNFTnRSWGN5VmdvM2JFTlViWGRNTDJwMlJGQjBTemxsZHpOb1dHdEVOVEF3VERsU1dGUnpXRTlyUmtwVFVVeEVaRGxNVW1sVk5VdERkVms5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fSwia2luZCI6InJla29yZCJ9",
               "integratedTime":1633137714,
               "logIndex":729517,
               "logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
            }
         },
         "Subject":"https://github.com/naveensrinivasan/lnd/.github/workflows/docker-sign.yml@refs/pull/18/merge"
      }
   }
]

What is cosign and Sigstore?

https://www.sigstore.dev

Sigstore trusts

https://github.com/sigstore/root-signing

How it works

https://www.sigstore.dev/how-it-works

Can I run my own transparency log?

Yes, https://github.com/sigstore/rekor

@naveensrinivasan
Copy link
Contributor Author

Here is the docker image from my push https://github.com/naveensrinivasan/lnd/pkgs/container/lnd

@naveensrinivasan naveensrinivasan mentioned this pull request Oct 2, 2021
Open
@naveensrinivasan naveensrinivasan force-pushed the naveen/feat/keyless-signing branch 2 times, most recently from 41c0a93 to dcf8ab6 Compare October 2, 2021 03:44
@naveensrinivasan
docker:sign docker images without keys
962b4ed 
Sign docker images without keys
@naveensrinivasan naveensrinivasan force-pushed the naveen/feat/keyless-signing branch from dcf8ab6 to 962b4ed Compare October 2, 2021 03:52
@naveensrinivasan
Copy link
Contributor Author

Not including the release notes as this one is not yet decided.

@naveensrinivasan naveensrinivasan marked this pull request as ready for review October 2, 2021 15:16
@naveensrinivasan naveensrinivasan changed the title docker:sign docker images without keys docker:Sign docker images without keys and push to ghcr.io Oct 2, 2021
@naveensrinivasan
Copy link
Contributor Author

@guggero Friendly Ping.

@guggero
Copy link
Collaborator

guggero commented Dec 21, 2021

Thanks for the PR. I took a quick look at the keyless signing with cosign. From what I understand this doesn't really improve the security of the generated images.
Sure, it proves that the images were built by GitHub and not modified after the build. But the verification we are looking for is that the build is legitimate (more than one team member signed off on it, a single bad actor cannot arrive at more than one signature of the required 5) and reproducible (everyone can arrive at the same digest of the binaries on their own machine).

If instead we could all build the images locally, sign the digest and upload that signature to GitHub in a way that cosign could verify them, that would be great. But I'm not sure that's currently possible? Also we'd want to re-use our RSA keys for signing the images.

Perhaps for now we can just add an action to .github/workflows/docker.yml that additionally uploads the generated images to ghcr.io.

@naveensrinivasan
Copy link
Contributor Author

https://twitter.com/kelseyhightower/status/1502112834120937477

Also, some interesting things are coming out of SLSA with build provenance https://github.com/slsa-framework/slsa https://github.com/gossts/slsa-provenance, there soon be a blog post on this along with a white paper on generating build-provenance and signing within the GitHub workflow

@ellemouton ellemouton closed this Jul 28, 2023
@Roasbeef
Copy link
Member

Roasbeef commented Aug 1, 2023

Realized after grokking the btcd version of this PR, that it's actually pretty useful.

@Roasbeef Roasbeef reopened this Aug 1, 2023
@lightninglabs-deploy
Copy link

@naveensrinivasan, remember to re-request review from reviewers when ready

@lightninglabs-deploy
Copy link

Closing due to inactivity

7 similar comments
@lightninglabs-deploy
Copy link

Closing due to inactivity

@lightninglabs-deploy
Copy link

Closing due to inactivity

@lightninglabs-deploy
Copy link

Closing due to inactivity

@lightninglabs-deploy
Copy link

Closing due to inactivity

@lightninglabs-deploy
Copy link

Closing due to inactivity

@lightninglabs-deploy
Copy link

Closing due to inactivity

@lightninglabs-deploy
Copy link

Closing due to inactivity

@guggero
Copy link
Collaborator

guggero commented Jan 29, 2024

!lightninglabs-deploy mute

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thinkmassive thinkmassive thinkmassive left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@naveensrinivasan @guggero @Roasbeef @lightninglabs-deploy @thinkmassive @ellemouton