Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to validate image with cosign in the warehouse #2859

Open
1 task done
tal-hason opened this issue Oct 27, 2024 · 5 comments
Open
1 task done

Add support to validate image with cosign in the warehouse #2859

tal-hason opened this issue Oct 27, 2024 · 5 comments
Labels
kind/enhancement kind/proposal needs/area needs/priority

Comments

@tal-hason
Copy link
Contributor

Checklist

  • I've searched the issue queue to verify this is not a duplicate feature request.

Proposed Feature

when the warehouse scans for images, if in the configuration the validated signature is true and a cosign pub key is added, the warehouse will validate the image signature and pass it to the freight, if an image does not pass the signature validation the image is then marked as not safe

Motivation

add a secure layer of image verification before adding images to freight, which will enhance security and artifact credibility.

Suggested Implementation

in the warehouse add the flag to check the image signature.
and add the options to add the cosign public key
@krancour
Copy link
Member

This is a good idea, but one technical barrier may be that discovering images is already something that is really heavy on API calls to the registries. Rate limiting ends up being a huge problem and this would make it worse. I'm not opposed to this, but it might be better to leave this to something like OPA or Kyverno.

@hiddeco
Copy link
Contributor

hiddeco commented Oct 27, 2024

The lighter alternative could be to allow verification during Promotion.

@tal-hason
Copy link
Contributor Author

tal-hason commented Oct 27, 2024
edited
Loading

At the end the API just get the new image from the registry.

And if it cosign enabled, then the cosign just get the signature of the image from the registry, it's not API depending, it uses the OCI protocol to validate the metadata.

So API wise, it want be extra work...

@krancour
Copy link
Member

The lighter alternative could be to allow verification during Promotion.

I like the idea of doing it as a step that fails if an image is untrusted.

Another big motivating factor for that is cosign isn't the only game in town when it comes to image trust. Off the top of my head, there's also Docker Content Trust and Notary.

Custom/third-party steps will be enabled sometime around v1.3.0 and that extension point could be used to enable an image trust solution of the user's choosing.

@Chewie
Copy link

Chewie commented Oct 29, 2024

Another use of image signing that could be envisioned is to not only use it for provenance, but to exploit additional predicates to mark the end of previous steps. For example, running successful e2e tests would add a predicate to the attestation, and the promotion would be triggered by the presence of this predicate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement kind/proposal needs/area needs/priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Chewie @krancour @hiddeco @tal-hason