Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add base image verification #2

Open
xynydev opened this issue Jan 22, 2024 · 7 comments
Open

feat: add base image verification #2

xynydev opened this issue Jan 22, 2024 · 7 comments
Assignees
Labels
type: feature Brand new functionality, features, pages, workflows, endpoints, etc.

Comments

@xynydev
Copy link
Member

xynydev commented Jan 22, 2024

Are these things, that are in the the startingpoint action, missing from here, or are they implemented in blue-build/cli (@gmpinder) ?

  • Check SIGNING_SECRET matches cosign.pub
  • Verify base image
  • Generate tags
  • Lowercase Registry & Image
@xynydev xynydev added the type: discussion Questions, proposals and info that requires discussion. label Jan 22, 2024
@gmpinder
Copy link
Member

@gmpinder
Copy link
Member

Lowercase registry is being fixed here: blue-build/cli#8

@xynydev xynydev changed the title feat: investigate possibly missing features feat: add base image verification Jan 30, 2024
@xynydev
Copy link
Member Author

xynydev commented Jan 30, 2024

Should the image verification be implemented here with EyeCantCU's action (easy), or in cli?

@gmpinder
Copy link
Member

Should the image verification be implemented here with EyeCantCU's action (easy), or in cli?

If it just involves inspecting it for a label, we can totally do that in the tool. Plus I'll need that to make sure we're using the right version number on the image instead of latest

@RoyalOughtness
Copy link

FYI, not only is base image verification needed but also custom base image verification, if using EyeCantCU's action:

  - name: Verify base image
        if: ${{ ! contains(env.IMAGE_NAME, 'wayblue') }}
        uses: EyeCantCU/cosign-action/[email protected]
        with:
          containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}

      - name: Verify base image
        if: ${{ contains(env.IMAGE_NAME, 'wayblue') }}
        uses: EyeCantCU/cosign-action/[email protected]
        with:
          containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
          registry: 'ghcr.io/wayblueorg'
          pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub'

Regardless, the registry and pubkey need to be available as parameters.

@xynydev
Copy link
Member Author

xynydev commented Feb 11, 2024

I could implement this based on EyeCantCU's PR on startingpoint first, since this isn't a priority to implement in cli.

@xynydev xynydev self-assigned this Feb 11, 2024
@xynydev
Copy link
Member Author

xynydev commented Feb 18, 2024

We should probably have a list of keys to verify against by default, at least ublue and upstream fedora and vanilla (if those use cosign, haven't checked yet). I'm also unsure how to handle OIDC here.

@xynydev xynydev added type: feature Brand new functionality, features, pages, workflows, endpoints, etc. and removed type: discussion Questions, proposals and info that requires discussion. labels Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: feature Brand new functionality, features, pages, workflows, endpoints, etc.
Projects
None yet
Development

No branches or pull requests

3 participants