diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 909624d89..eb4adba19 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -100,20 +100,24 @@ jobs: - uses: ko-build/setup-ko@v0.6 with: - version: v0.14.1 + version: v0.15.1 + + - name: Install cosign + uses: sigstore/cosign-installer@v3.2.0 + with: + cosign-release: "v2.2.2" - name: Prepare run: | echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV + echo "REPOS"="quay.io/grafana-operator/grafana-operator" "ghcr.io/${{ github.repository }}" >> $GITHUB_ENV - name: Build and push run: | - declare -a arr=("quay.io/grafana-operator/grafana-operator" "ghcr.io/${{ github.repository }}" ) - - for i in "${arr[@]}" + for i in ${{ env.REPOS }} do export KO_DOCKER_REPO=${i} - ko build --sbom=none --bare --platform linux/arm64,linux/arm/v7,linux/amd64 -t ${{ github.ref_name }} \ + ko build --sbom=spdx --image-refs ./image-digest-${i%.*} --bare --platform linux/arm64,linux/arm/v7,linux/amd64 -t ${{ github.ref_name }} \ --image-label org.opencontainers.image.title=grafana-operator \ --image-label org.opencontainers.image.description="An operator for Grafana that installs and manages Grafana instances & Dashboards & Datasources through Kubernetes/OpenShift CRs" \ --image-label org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }} \ @@ -121,3 +125,10 @@ jobs: --image-label org.opencontainers.image.version=${{ github.ref_name }} \ --image-label org.opencontainers.image.created=${{ env.BUILD_DATE }} done + + - name: Sign Image + run: | + for i in ${{ env.REPOS }} + do + cosign sign -d -y $(cat ./image-digest-${i%.*}) + done diff --git a/docs/docs/security.md b/docs/docs/security.md new file mode 100644 index 000000000..27f479896 --- /dev/null +++ b/docs/docs/security.md @@ -0,0 +1,45 @@ +--- +title: Security +weight: 50 +--- + +## Verification of container images + +Grafana-operator container images are signed by cosign using identity-based ("keyless") signing and transparency. Executing the following command can be used to verify the signature of a container image: + +To verify the grafana-operator run + +Pre-requirement + +- cosign v2.0.0 or higher [installation instructions](https://docs.sigstore.dev/system_config/installation/). + +```shell +cosign verify ghcr.io/grafana/grafana-operator@ \ + --certificate-identity-regexp 'https://github\.com/grafana/grafana-operator/\.github/workflows/.+' \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq +``` + +For example + +```shell +cosign verify ghcr.io/grafana/grafana-operator@v5.6.1 \ + --certificate-identity-regexp 'https://github\.com/grafana/grafana-operator/\.github/workflows/.+' \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq +``` + +## SBOM + +As a part of our release cycle we also generate SBOMs. +You can find them as artifacts in our supported repositories. + +To download the sbom you can run + +```shell +cosign download sbom --platform linux/amd64 ghcr.io/ghcr.io/grafama/grafana-operator/grafana-operator: +``` + +example: + +```shell +cosign download sbom --platform linux/amd64 ghcr.io/ghcr.io/grafama/grafana-operator/grafana-operator:v5.6.1 +```