Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign Containers #5

Closed
irongut opened this issue Jan 31, 2022 · 3 comments
Closed

Sign Containers #5

irongut opened this issue Jan 31, 2022 · 3 comments
Assignees
@irongut
Labels
DevOps enhancement New feature or request

Comments

@irongut
Copy link
Owner

irongut commented Jan 31, 2022

Feature Request

GitHub recently added container signing to GitHub Actions, add the signing steps to the release workflow.

Additional Context

Safeguard your containers with new container signing capability in GitHub Actions
SigStore
Sample Workflow

Linked To
@irongut irongut added enhancement New feature or request DevOps labels Jan 31, 2022
@irongut irongut self-assigned this Jan 31, 2022
@github-actions
Copy link

github-actions bot commented May 2, 2022

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days.

@github-actions github-actions bot added the stale label May 2, 2022
@irongut irongut removed the stale label May 4, 2022
irongut added a commit that referenced this issue Jul 7, 2022
@irongut
sign Docker image on release #5
2bb7333
irongut added a commit that referenced this issue Jul 7, 2022
@irongut
id token permission for Docker image signing #5
93decb7
irongut added a commit that referenced this issue Jul 7, 2022
@irongut
cosign fails with multiple tags workaround #5
ccf529a
@irongut
Copy link
Owner Author

irongut commented Jul 7, 2022

Cosign fails to sign the release:

Run cosign sign ghcr.io/irongut/editrelease:v1.2.0
Generating ephemeral keys...
Retrieving signed certificate...
        Note that there may be personally identifiable information associated with this signed artifact.
        This may include the email address associated with the account with which you authenticate.
        This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.
Successfully verified SCT...
tlog entry created with index: 2876421
Pushing signature to: ghcr.io/irongut/editrelease
/home/runner/work/_temp/785f9673-daf7-4da5-b572-15d3eef1f326.sh: line 2: ghcr.io/irongut/editrelease:latest@sha256:37ae60e4115c31bccdbb9ee7e8e1bb32384c1c77657b1f0e51bb4997d4c4ec3e: No such file or directory
Error: Process completed with exit code 127.

Problem appears to be multiple tags, see: actions/starter-workflows#1620

Workaround: actions/starter-workflows#1622

@irongut irongut closed this as completed Jul 7, 2022
@irongut
Copy link
Owner Author

irongut commented Jul 8, 2022
edited
Loading

How to Verify Signature

  1. Install sigstore/cosign.
  2. Run: COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/irongut/editrelease:v1.2.0 (Linux)
$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/irongut/editrelease:v1.2.0

Verification for ghcr.io/irongut/editrelease:v1.2.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[
    {
        "critical": {
            "identity": {
                "docker-reference": "ghcr.io/irongut/editrelease"
            },
            "image": {
                "docker-manifest-digest": "sha256:a68ecd1ac7ba32ca07bc03b069f250200cf9e532e9496872aa4a3cb1d82bb167"
            },
            "type": "cosign container image signature"
        },
        "optional": {
            "Bundle": {
                "SignedEntryTimestamp": "MEUCIHBJohar/9eLpPN1KoVdlwaFGp1GxDQPLWM7njiMjM/0AiEAoeLToERfpodMhlQnkJp9MblZ3Ys2vgQ8yQbia1owWF0=",
                "Payload": {
                    "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkNDlkY2YyODUyNDk2NTZkN2Y3NDIwMDA3Zjc4YmFjYTMwMjlhYTZjZGRmZDM3NWYxMzdmODgzNGMyMGQ5ZDU5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUNyS1ZIZmkzUDFqZ3E1MXR2Z0ptTUxJS0NCNFgyUnlha1l6YWl1V0pHcUNBSWhBSVdNUjFaM05MQTNWY1M3WWlEdE15T3ZGemZyMXhwNW5idld1RHFGanJ6byIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnlWRU5EUVhwVFowRjNTVUpCWjBsVlREY3hXbXBHVkRKNk5FMHpRMnhYT1RkNVR6VjJTbmxaVkZObmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDU2UVROTmFra3hUMVJGTlZkb1kwNU5ha2wzVG5wQk0wMXFUWGRQVkVVMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZvUWxWM2JEaHJjWE5QY25kV00wVXZSbmd3UkRRMmJYbFBWRGxTS3k5YVJqRkZZMmtLU1ZOTmEyeFJiMEpLV1haQ1IyMXpPSEl5VFZVNVZGVnRWblpGWlhCTGJWZ3hVM05yWm1OUWVFRTBSWEpUTW1kNFVEWlBRMEZzVFhkblowcFFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ0UkhORUNuVktiVXAzV0VKSFIwcGtlR2xUVUROSU9FdzRVWEZKZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJGUldVUldVakJTUVZGSUwwSkdPSGRZV1ZwaVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKc2VXSXlOVzVrV0ZGMlVsZFNjQXBrUmtwc1lrZFdhR015VlhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTVdsa1YyeHpXa00xTldKWGVFRmpiVlp0Q21ONU9UQlpWMlI2VEROWmVFeHFTWFZOUkVFMVFtZHZja0puUlVWQldVOHZUVUZGUWtKRGRHOWtTRkozWTNwdmRrd3pVblpoTWxaMVRHMUdhbVJIYkhZS1ltNU5kVm95YkRCaFNGWnBaRmhPYkdOdFRuWmlibEpzWW01UmRWa3lPWFJOUWxWSFEybHpSMEZSVVVKbk56aDNRVkZKUlVJelNteGlSMVpvWXpKVmR3cE9aMWxMUzNkWlFrSkJSMFIyZWtGQ1FYZFJiMWt5VG0xT1ZFazFXVmRSZVU1dFVtdGFSMWsxVDFSck1scFVaR3RhUkVKdFRXcFNhbGxVVm10WlZGSnNDbGxVVlhkT01rNXFUV3BCYTBKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUWxwRFpGZHNjMXBEUVhKSlJWSnNZMGQ0ZG1WVFFqQmllVUpJVTBWT1UwMURSVWNLUTJselIwRlJVVUpuTnpoM1FWRlZSVVV5YkhsaU1qVnVaRmhSZGxKWFVuQmtSa3BzWWtkV2FHTXlWWGRJWjFsTFMzZFpRa0pCUjBSMmVrRkNRbWRSVVFwamJWWnRZM2s1TUZsWFpIcE1NMWw0VEdwSmRVMUVRMEpwVVZsTFMzZFpRa0pCU0ZkbFVVbEZRV2RTTjBKSWEwRmtkMEl4UVVGb1oydDJRVzlWZGpsdkNsSmtTRkpoZVdWRmJrVldia2RMZDFkUVkwMDBNRzB6YlhaRFNVZE9iVGw1UVVGQlFtZGtjbXB2UTBWQlFVRlJSRUZGV1hkU1FVbG5SMHdyZWpkbFV6QUtUV3g0YzBwRldVbEJkRTVoVEVSeVNEbFpkakZzWTJjclIxa3dVVmxQVTBsb1pVRkRTVU5qTVhJMVZHUlJSUzlpWWsxRGJURkVaM05pY0N0TlVFaE1Ld3BuYm1KMU5HRm1TMnB5ZG1aMVRsRjJUVUZ2UjBORGNVZFRUVFE1UWtGTlJFRXlZMEZOUjFGRFRVUjFTeTl0YVhkVk4yeHBTRFZoTDFsTmFFbEtTVVJ2Q21vcmVtVnZORWgzU0RWMFVHWmFhMnBDU1RWVFVVaFhOQzkyU0c5cE0wcE9WVlIyYVc1NmRVSnBaMGwzV2xWVldpdEtkVzg1WTBaRVEwODJSbEZWU1RBS2RXSnRZV1prVWpWdlZsaDNiQ3RhWlRsS1QzTXJaSFpzV0dnMlFsUlJRMjlDVmpaa2NHRnBMMlZhVFc0S0xTMHRMUzFGVGtRZ1EwVlNWRWxHU1VOQlZFVXRMUzB0TFFvPSJ9fX19",
                    "integratedTime": 1657234760,
                    "logIndex": 2876511,
                    "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
                }
            },
            "Issuer": "https://token.actions.githubusercontent.com",
            "Subject": "https://github.com/irongut/EditRelease/.github/workflows/release-build.yml@refs/tags/v1.2.0"
        }
    },
    {
        "critical": {
            "identity": {
                "docker-reference": "ghcr.io/irongut/editrelease"
            },
            "image": {
                "docker-manifest-digest": "sha256:a68ecd1ac7ba32ca07bc03b069f250200cf9e532e9496872aa4a3cb1d82bb167"
            },
            "type": "cosign container image signature"
        },
        "optional": {
            "Bundle": {
                "SignedEntryTimestamp": "MEYCIQCSBs+GxYXzQpglAQ7Xvm6u3ZwwESImnSHFzonxA1aPnwIhAMEVHT4O+9DHuUfNmYQnBa1k6CBvEHrh1jU5yFTQBayc",
                "Payload": {
                    "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkNDlkY2YyODUyNDk2NTZkN2Y3NDIwMDA3Zjc4YmFjYTMwMjlhYTZjZGRmZDM3NWYxMzdmODgzNGMyMGQ5ZDU5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUQvK09GU1NwNXQyWUxzV3RFUllrcVc4QlRTZ2VTUlpBYjhoMzRrN09Gc3RBSWdRMXo1VkdjVy9SQmZqSnM2cGZBK0pPY2VUY2psOEk2cGRyM0E1dXhJS253PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnlha05EUVhwVFowRjNTVUpCWjBsVlkyeEpUamM1WVV4NU9VdFdjMFZpUVZONVVqazNkbFp4WkdWemQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDU2UVROTmFra3hUMVJKZVZkb1kwNU5ha2wzVG5wQk0wMXFUWGRQVkVsNVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZ1WjNkUWJIWTNUblF3YUdaUU0yRmlSMGR5YVV0TGFVWlJVR2hhUlhjMVlXUnBRMVVLUkVJdmRWa3ZibTFpZDNsMmFrcFphVEl5U1dnemNqYzNZbFZuT1hNck5tdHJiVVUwYzJKMlIyRkhVMk5aVkc4NVVUWlBRMEZzVFhkblowcFFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZRTVRaekNtcDFhSGw0WTA5SWQwTmFiRTkyTlRFNFZFNXNTWHB2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJGUldVUldVakJTUVZGSUwwSkdPSGRZV1ZwaVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKc2VXSXlOVzVrV0ZGMlVsZFNjQXBrUmtwc1lrZFdhR015VlhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTVdsa1YyeHpXa00xTldKWGVFRmpiVlp0Q21ONU9UQlpWMlI2VEROWmVFeHFTWFZOUkVFMVFtZHZja0puUlVWQldVOHZUVUZGUWtKRGRHOWtTRkozWTNwdmRrd3pVblpoTWxaMVRHMUdhbVJIYkhZS1ltNU5kVm95YkRCaFNGWnBaRmhPYkdOdFRuWmlibEpzWW01UmRWa3lPWFJOUWxWSFEybHpSMEZSVVVKbk56aDNRVkZKUlVJelNteGlSMVpvWXpKVmR3cE9aMWxMUzNkWlFrSkJSMFIyZWtGQ1FYZFJiMWt5VG0xT1ZFazFXVmRSZVU1dFVtdGFSMWsxVDFSck1scFVaR3RhUkVKdFRXcFNhbGxVVm10WlZGSnNDbGxVVlhkT01rNXFUV3BCYTBKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUWxwRFpGZHNjMXBEUVhKSlJWSnNZMGQ0ZG1WVFFqQmllVUpJVTBWT1UwMURSVWNLUTJselIwRlJVVUpuTnpoM1FWRlZSVVV5YkhsaU1qVnVaRmhSZGxKWFVuQmtSa3BzWWtkV2FHTXlWWGRJWjFsTFMzZFpRa0pCUjBSMmVrRkNRbWRSVVFwamJWWnRZM2s1TUZsWFpIcE1NMWw0VEdwSmRVMUVRMEpwVVZsTFMzZFpRa0pCU0ZkbFVVbEZRV2RTTjBKSWEwRmtkMEl4UVVGb1oydDJRVzlWZGpsdkNsSmtTRkpoZVdWRmJrVldia2RMZDFkUVkwMDBNRzB6YlhaRFNVZE9iVGw1UVVGQlFtZGtjbXB4TlUxQlFVRlJSRUZGV1hkU1FVbG5ZMmh4WmxBemRXb0tNa1ZFT1VJM1VYY3hja055VVV4a1FXNU5ZMFo2ZUV4RVIyZGhZbUZ1VTFaR1JWbERTVVJLY0VzMk5HWlNlazB6TTFadmFrUlhaMDVaZFZSQ1NuZGpNd3BqYUV0VVpUQTVXWGhpV1hnM1ZWTmxUVUZ2UjBORGNVZFRUVFE1UWtGTlJFRXlaMEZOUjFWRFRVWk1Oemc0UkRGNFRGQlphSGQwSzBwdlQwODJSVzh5Q2t0TmVGbGlNbEYzZDFNd1dHZHFhalJoTTBad1kxcGtTamxYVmxBMVdUSkNjMlphYWpoeGQxcEZkMGw0UVU1aEt6aDViRlpxUTA5dlNYTTFla2g0YjFFS2NXTXZjM0ZMUm5SRFNqazBNMmcwYUZWUFltWXpXSGxSUlhKUk1FWnlWMWQwVW1SWE5FTlZMMmxzWTNkVGR6MDlDaTB0TFMwdFJVNUVJRU5GVWxSSlJrbERRVlJGTFMwdExTMEsifX19fQ==",
                    "integratedTime": 1657234763,
                    "logIndex": 2876512,
                    "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
                }
            },
            "Issuer": "https://token.actions.githubusercontent.com",
            "Subject": "https://github.com/irongut/EditRelease/.github/workflows/release-build.yml@refs/tags/v1.2.0"
        }
    }
]

The docker-manifest-digest values should match the sha256 hash published on the packages page.

@irongut irongut pinned this issue Jul 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@irongut irongut

Labels
DevOps enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@irongut