-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Sambhav Kothari <[email protected]>
- Loading branch information
Showing
1 changed file
with
109 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
# Meta | ||
[meta]: #meta | ||
- Name: Cosign support | ||
- Start Date: 2021-12-03 | ||
- Author(s): [@samj1912](https://github.com/samj1912) | ||
- RFC Pull Request: (leave blank) | ||
- CNB Pull Request: (leave blank) | ||
- CNB Issue: (leave blank) | ||
- Supersedes: (put "N/A" unless this replaces an existing RFC, then link to that RFC) | ||
|
||
# Summary | ||
[summary]: #summary | ||
|
||
Adds image signing support to Buildpacks natively using cosign. | ||
|
||
# Definitions | ||
[definitions]: #definitions | ||
|
||
- cosign: A sigstore project to sign container images - https://github.com/sigstore/cosign | ||
- SBOM: Software Bill-of-Materials | ||
|
||
|
||
# Motivation | ||
[motivation]: #motivation | ||
|
||
Supply chain security has been on top of everyone's minds in 2021. It is important to ensure the integrity and origin of software artifacts in order to have a secure supply chain. Sigstore's cosign has quikcly risen to become the defacto container signing solution. This RFC proposes that we natively add cosign support to the lifecycle to facilitate easy signed container artifacts as part of the build process. | ||
|
||
# What it is | ||
[what-it-is]: #what-it-is | ||
|
||
As a part of the exporting process, the `analyzer` and `exporter` will now take an addition flag `-cosign-config <cosign.toml>` which will contain the cosign configuration. | ||
|
||
The schema for `cosign.toml` will look like the following - | ||
|
||
```toml | ||
# A static list of annotations to add to each signature config | ||
[[annotations]] | ||
name = "<name>" | ||
value = "<value>" | ||
|
||
[[annotations]] | ||
name = "<name2>" | ||
value = "<value2>" | ||
|
||
# multiple cosign configs can be specified | ||
[[configs]] | ||
# path to private key | ||
key = "<path-to-key>" | ||
# Exclusive OR with `key` | ||
# private key inline as a b64 encoded string | ||
key-data = "<base64-encoded-private-key>" | ||
# optional value for COSIGN_REPOSITORY, optional, default:"" | ||
repository = "<cosign-repository>" | ||
# value for COSIGN_DOCKER_MEDIA_TYPES, optional, default:false | ||
docker-media-types = true | ||
# optional path to password file. Contents will be used as COSIGN_PASSWORD | ||
password = "<path-to-password-file>" | ||
# Exclusive OR with `password` | ||
# optional base64 encoded value for COSIGN_PASSWORD | ||
password-data = "<base64-encoded-password>" | ||
# optional flag to export sbom if present, default:true | ||
export-sbom = true | ||
# optional flag to sign sbom if exported, default: true | ||
sign-sbom = true | ||
``` | ||
|
||
The `analyzer` will be responsible for verifying registry access to push the required signatures. The exporter will be responsible for generating and pushing the signatures defined by each of the configs above for each tag specified to the `exporter`. As a part of this process, the lifecycle will also strip out any environment variables that start with `COSIGN_` before analyzing or exporting cosign specific tasks. | ||
|
||
During the export phase, the lifecycle will add all the provided annotations to each exported signature. It will also add the corresponding image tag and build time of the image as tags to the signature. | ||
The lifecycle will also export and sign related SBOM artifacts from the build. The format for attaching SBOM to the image will follow the specification described at https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md. | ||
|
||
The above will only be supported if `lifecycle` is run in `registry` mode. If we wish to support it in local mode, we may add support for this in case we drop daemon mode and introdue an OCI layout mode. | ||
|
||
# How it Works | ||
[how-it-works]: #how-it-works | ||
|
||
The exporter can use `cosign` as a library to generate, attach and publish signatures for the output image. `cosign` exposes a GGCR compatible interface which should fit nicely with the lifecycle. | ||
|
||
|
||
# Drawbacks | ||
[drawbacks]: #drawbacks | ||
|
||
Increased complexity in lifecycle | ||
|
||
# Alternatives | ||
[alternatives]: #alternatives | ||
|
||
Add cosign support to pack. | ||
|
||
|
||
# Prior Art | ||
[prior-art]: #prior-art | ||
|
||
- https://github.com/buildpacks/pack/issues/268 | ||
- https://github.com/buildpacks/pack/issues/934 | ||
- https://github.com/pivotal/kpack/blob/main/rfcs/0007-cosign-integration.md | ||
|
||
|
||
# Unresolved Questions | ||
[unresolved-questions]: #unresolved-questions | ||
|
||
|
||
How to deal with daemon case? I am of the opinion that we should deprecate daemon flag in lifecycle and instead switch to OCI but that can come later. | ||
|
||
# Spec. Changes (OPTIONAL) | ||
[spec-changes]: #spec-changes | ||
|
||
|
||
Noted above. |