feat: Add attestation entry point to Docker Images #1476
Conversation
| @@ -0,0 +1,24 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Rename this file entry_point.sh in order to match the entrypoint.sh file referred in the README.md
|
|
||
| This will: | ||
| 1. **Set up the Docker container** with the required environment variables for attestation. | ||
| 2. **Use `/entrypoint.sh`**: The entry point script checks the attestation and proceeds if verified. |
There was a problem hiding this comment.
Add hyperlink to the entry point file
| - `BUNDLE_PATH="/path/to/your/bundle.jsonl"`: Specifies the local path to the attestation bundle file. | ||
| - `TRUSTED_ROOT_PATH="/path/to/your/trusted_root.jsonl"`: Specifies the local path to the trusted root file for the attestation. | ||
|
|
||
| 2. **Use `/entrypoint.sh`**: The entrypoint of the Docker image is overridden to run the `entrypoint.sh` script, which performs the attestation verification before running the application. |
There was a problem hiding this comment.
Add hyperlink to the entry point file
| /usr/local/bin/blocklist-client | ||
| ``` | ||
|
|
||
| This command will: |
There was a problem hiding this comment.
Considering the section "Enviroment Variables", The description could be simplified in something like this:
The commands above:
1. **Set the environment variables**: `TAG`, `BUNDLE_PATH` and `TRUSTED_ROOT_PATH`
2. ....
By this the message is still the same, but get rid off duplication respect of the "Environment Variables" section
We would like to enforce another small step that automate the process to verify the images source, the idea is to limit the the possibility to run unsigned software. To add to our signer plus the partners |
There was a problem hiding this comment.
Can you also modify the files under https://github.com/stacks-network/sbtc/blob/main/docker/mainnet/docker-compose.yml and the testnet corresponding version?
Description
This PR adds the support to the attestation verification in offline mode and give a suggestion on how to override the Docker entry point for Docker and Docker Compose.
Closes: #1310
Note:
The key material in trusted_root.jsonl does not have a built-in expiration date, so anything signed before you generate the trusted root file will continue to successfully verify. Anything signed after the file is generated will verify until that Sigstore instance rotates its key material, which typically happens a few times per year. You will not know if key material has been revoked since you last generated the trusted root file.
Open questions:
Changes
Testing Information
Checklist: