Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify updater container image signatures using cosign #315

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

verify updater container image signatures using cosign #315

wants to merge 1 commit into from

Conversation

JamieMagee
Copy link
Contributor

Now that the updater container images are signed as part of dependabot/dependabot-core#9546, we need to verify those signatures when using those container images.

This change allows us to verify that the container images we pull were build by a GitHub Actions workflow in the main branch of https://github.com/dependabot/dependabot-core.

The code is equivalent to running:

$ cosign verify \
	ghcr.io/dependabot/dependabot-updater-<ecosystem>:latest \
	--certificate-oidc-issuer https://token.actions.githubusercontent.com \
	--certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-latest.yml@refs/heads/main

TODO:

  • See if it's possible to decrease the number of dependencies this change adds

Related to #308

@JamieMagee JamieMagee requested a review from a team as a code owner April 30, 2024 18:17
@JamieMagee JamieMagee requested a review from jakecoffman April 30, 2024 18:17
@JamieMagee
Copy link
Contributor Author

OpenTelemetry containers are also signed with cosign:

$ cosign verify \
  docker.io/otel/opentelemetry-collector-contrib:latest \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/open-telemetry/opentelemetry-collector-releases/.github
/workflows/base-release.yaml@refs/tags/v0.99.0

Verification for index.docker.io/otel/opentelemetry-collector-contrib:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
...

@dmitris
Copy link

dmitris commented Feb 12, 2025

@JamieMagee - could you rebase & resolve the conflicts, please? I would hope to see this completed and merged - verifying the sigstore signatures is a great idea! 💯

@JamieMagee JamieMagee force-pushed the jamiemagee/verify-cosign branch from 919e74b to 8ce539f Compare February 12, 2025 22:15
@JamieMagee
Copy link
Contributor Author

@dmitris done and done. I updated to v2 of cosign and added signature verification of the default OpenTelemetry container as well. Once the proxy container is signed this can be easily added as well.

@JamieMagee JamieMagee force-pushed the jamiemagee/verify-cosign branch 2 times, most recently from c79ec7f to 60e4d41 Compare February 12, 2025 23:02
@JamieMagee JamieMagee force-pushed the jamiemagee/verify-cosign branch from 60e4d41 to 13ac0ad Compare February 12, 2025 23:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakecoffman jakecoffman Awaiting requested review from jakecoffman

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JamieMagee @dmitris