Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: sign container images on quay and signed releases #9837

Merged
merged 3 commits into from
Nov 19, 2022
Merged

chore: sign container images on quay and signed releases #9837

merged 3 commits into from
Nov 19, 2022

Conversation

34fathombelow
Copy link
Member

@34fathombelow 34fathombelow commented Oct 16, 2022
edited
Loading

Signed releases #9769
This PR implements container images to be signed using sigstore/cosign It also consolidates the checksums of the cli-binaries into a single file then signs it.

Three GitHub secrets will need to be created before this PR is merged. The process to do this is listed below.

TLDR: https://docs.sigstore.dev/cosign/git_support

  1. Install Cosign on your workstation. Linux, Homebrew, and container options are available. Execute the command cosign --version to verified it has been installed correctly.
  2. Create or have a valid GitHub PAT token available.
  3. Export your PAT as the environment variable "GITHUB_TOKEN"
  4. Execute cosign generate-key-pair github://argoproj/argo-workflows This will start the process of creating the GitHub Secrets automatically for you, and prompt you to enter a password. This Password will be stored as the Github secret COSIGN_PASSWORD I would recommend to use well respected password generator such as KeePassXC or Bitwarden and use a paranoid level of characters of at least 32.
  5. Three GitHub secretes should have been created, please verify. COSIGN_PASSWORD COSIGN_PRIVATE_KEY & COSIGN_PUBLIC_KEY
  6. Please comment on this PR with the newly created public key (cosign.pub)

@34fathombelow 34fathombelow marked this pull request as draft October 16, 2022 09:12
@34fathombelow 34fathombelow marked this pull request as ready for review October 16, 2022 09:12
@alexec alexec removed their assignment Oct 18, 2022
alexec
alexec reviewed Oct 18, 2022
View reviewed changes
.github/workflows/release.yaml
@@ -388,8 +443,9 @@ jobs:
body_path: release-notes
files: |
dist/argo-*.gz
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don’t we want to keep this file?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the changes in the Makefile we now calculate all the checksums into one file argo-workflows-cli-checksums.txt. Looks like I made a typo on the line below this one.

I'm going to edit this PR today and also sign argo-workflows-cli-checksums.txt This would essentially sign all the CLI binaries. So we no longer need this file. It's more compact and visually appealing.

Feel free to check one of the more recent releases from Argo CD to get a better visual representation of how this looks

@34fathombelow
Copy link
Member Author

Updated to only sign multi-image tags

alexec
alexec approved these changes Oct 29, 2022
View reviewed changes
Copy link
Contributor

@alexec alexec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Github Actions will need to be monitored when this is merged and settings updated.

@stale
Copy link

stale bot commented Nov 12, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this is a mentoring request, please provide an update here. Thank you for your contributions.

@stale stale bot added the problem/stale This has not had a response in some time label Nov 12, 2022
@34fathombelow
Copy link
Member Author

Not stale

@stale stale bot removed the problem/stale This has not had a response in some time label Nov 12, 2022
@crenshaw-dev crenshaw-dev mentioned this pull request Nov 19, 2022
Closed
8 tasks
terrytangyuan
terrytangyuan approved these changes Nov 19, 2022
View reviewed changes
Copy link
Member

@terrytangyuan terrytangyuan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@terrytangyuan terrytangyuan merged commit 7a05626 into argoproj:master Nov 19, 2022
@terrytangyuan
Copy link
Member

We need some additional secrets required by this PR. @alexec @sarabala1979 Could you help add those?

@34fathombelow 34fathombelow deleted the signed-images branch November 20, 2022 02:11
@agilgur5 agilgur5 added type/security Security related area/build Build or GithubAction/CI issues labels Sep 22, 2023
@agilgur5 agilgur5 mentioned this pull request Sep 22, 2023
Closed
21 tasks
@agilgur5 agilgur5 mentioned this pull request Oct 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan approved these changes

@alexec alexec alexec approved these changes

Assignees

@sarabala1979 sarabala1979

Labels
area/build Build or GithubAction/CI issues type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@34fathombelow @terrytangyuan @alexec @agilgur5 @sarabala1979