Comments (5)
mtrmac
commented on August 16, 2024
There already is remapIdentity. Isn’t this sufficient?
But, uh, in general, if the public identity users are aware of is registry.k8s.io, not some cloud host name, the signatures should sign the public identity name. That’s how users get an end-to-end-identity guarantee that they are getting the application they want. (Sure, there is registries.conf to redirect, and remapIdentity to change signatures, but those require local end-user knowledge that is almost certainly not transferred with similar integrity protection to the actual signature.)
Changing what name is signed seems to be the right thing to do. IIRC cosign can’t currently do it, follow https://issues.redhat.com/browse/RUN-1717 .
from image.
saschagrunert
commented on August 16, 2024
I'm not sure about remapIdentity, as mentioned this would require exact knowledge about the proxy setup and will possibly break in the future.
@mtrmac how would signing using registry.k8s.io work technically? Would we just change the docker-reference or add an additional field to the critical spec?
For ref:
> cosign verify --certificate-identity [email protected] --certificate-oidc-issuer https://accounts.google.com registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.0 | jq
[
{
"critical": {
"identity": {
"docker-reference": "europe-west8-docker.pkg.dev/k8s-artifacts-prod/images/security-profiles-operator/security-profiles-operator"
},
"image": {
"docker-manifest-digest": "sha256:2ff89db553e3d1a4c7cddef318607a851b9b3c185539e7d2b0395db31eb71a38"
},
"type": "cosign container image signature"
},
"optional": {
"1.3.6.1.4.1.57264.1.1": "https://accounts.google.com",
"Bundle": {
"SignedEntryTimestamp": "MEYCIQCLLsNPrD//vITjR5cfW5UpBD49X8HIZcK4FzOmaRf8HAIhALu2W2NaTqsAMkqeKP6TIVoi4QqLg65lJhZ0CIirU5pt",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzMGFhYzA2YTZiMTE0NDc5NjZkN2FjY2QxOWNhZjJlNjE3MzA3MWIyZWIwMmZiNzYyYTUxOTQ4ZmFhMWM2YzQ1In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUURlcVgweDcwOVh1VGlCNklEcmY4eHd1a0lkTkt3OWtZRkIvNy9nalVoVFVBSWdZZFFBRWlXN0QwZE11Y1NXaDU5MEROc2p3ZHh2U0RaUXRZV094UlhkcFpBPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTTNSRU5EUVc1TFowRjNTVUpCWjBsVlluaG9WM296TWxSa2QyVXpkM2R6YWt0SU9HTldUVkF5VG5obmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5kMDVFUlRSTlJHdDVUa1JSTWxkb1kwNU5hazEzVGtSRk5FMUVhM3BPUkZFeVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZRWVhaWlNuSnpSR2RzUkdnd2FrRjVRa3haTVZSQmJXeEhUalZvTlRGWmVsTk9TMndLU0U0d09EQTNOMkkwYTNKcFNEVm1MekE1VmtZM1p6RnFkRGR6TkZJcmRFbHdWbGhPUjJWbVRITk5jRGgxYnpaaVdEWlBRMEZhUlhkblowZE9UVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZxUTJkRkNtSkxjbTlEVUVKRVdVZFBjVzVIY0RsblVVNTFTMFpaZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFGQldVUldVakJTUVZGSUwwSkVXWGRPU1VWNVlUTktiR0pETVRCamJsWjZaRVZDY2s5SVRYUmpiVlp6V2xjMWJreFlRbmxpTWxGMVlWZEdkQXBNYldSNldsaEtNbUZYVG14WlYwNXFZak5XZFdSRE5XcGlNakIzUzFGWlMwdDNXVUpDUVVkRWRucEJRa0ZSVVdKaFNGSXdZMGhOTmt4NU9XaFpNazUyQ21SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVTnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVklVWGRpWVVoU01HTklUVFpNZVRsb1dUSk9kbVJYTlRBS1kzazFibUl5T1c1aVIxVjFXVEk1ZEUxSlIweENaMjl5UW1kRlJVRmtXalZCWjFGRFFrZ3dSV1YzUWpWQlNHTkJNMVF3ZDJGellraEZWRXBxUjFJMFl3cHRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIU0dzMk5VODFaMEZCUWtGTlFWTkVRa2RCYVVWQmRWbGxiakJ4ZFVGb05XYzJDakJMYzBGVFVrdFRjekJOVGtSS09GRnpUVGhSY1U5aFN6VTJNMnAyUzNORFNWRkVaMFpKWjBKcUswNUpXVTAxYjJKeWJESkhMMjFGZW5WcGVHSlVZMUFLV1hKWFkwUTVVR2s1ZVZCSlZFUkJTMEpuWjNGb2EycFBVRkZSUkVGM1RtOUJSRUpzUVdwQ0x6UlJVbUV6UmtreWExbENSelZ4YnpnMVMweERhU3RQUlFwc1lqbHBOVkJrTjBwcFEwWklaRlJEZVVwRlpHZENURTVtVEVwbVdXVkxlRmhpYkdOSFJGbERUVkZEVmk5aFFWVkRjMVoxU20xTFdrbGhVR1J6TUN0cUNrcDRhME14T1dvNGRtTm1TWEZsUjJoVVpHUXdWVVpaU1hKWVUwUmxVMEphVm1NMmRsUmhTRzl5S3pROUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19",
"integratedTime": 1681809893,
"logIndex": 18264171,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
},
"Issuer": "https://accounts.google.com",
"Subject": "[email protected]",
"org.kubernetes.kpromo.version": "kpromo-"
}
}
]from image.
mtrmac
commented on August 16, 2024
Yes, change the docker-reference.
Typically the publishing workflow would be something like skopeo copy [--remove-signatures] --sign-by-sigstore=… --sign-identity=registry.example.com/public-product:$version docker://private-registry.example.com/testing-rc:$version docker://staging-registry.example.com/to-publish-product:$version.
from image.
saschagrunert
commented on August 16, 2024
I proposed something for discussion in sigstore/cosign#2984 and sigstore/sigstore#1166.
from image.
saschagrunert
commented on August 16, 2024
I see this as resolved now since sigstore/cosign#2995 merged
from image.
Related Issues (20)
- podman search seems not to use registries.conf mirror for docker.io HOT 3
- Support copying nested image indices HOT 1
- Copies don’t set OCI1InstanceAnnotationCompressionZSTD on Zstd:chunked HOT 1
- Allow configuring a registry as http-only HOT 3
- Copy fails with "use of closed network connection" error when using a slow proxy HOT 9
- Use OCI Go constants in the OCI transport
- [doc] fix warning when generating man pages with go-md2man HOT 3
- support for url path's in registries.conf unqualified-search-registries HOT 9
- containers-policy.json: provide default config in /usr/ HOT 6
- Conversion to schema1 does not fail with Zstd layers, making it uncertain we correctly convert to OCI HOT 1
- Copies of originally-compressed images from c/storage to uncompressed destinations don’t trigger MIME type updates HOT 1
- Converting a SIF image should not require fakeroot HOT 4
- Zstd(:chunked) work tracking checklist HOT 2
- Copies with Zstd compression to schema-agnostic transports don’t trigger schema conversion HOT 2
- TemporaryDirectoryForBigFiles() can still ignore $TMPDIR HOT 3
- isManifestUnknownError fails against Harbor registries, breaking sigstore signature upload HOT 15
- Blob reuse decisions do not take into account manifest support HOT 1
- Cannot copy buildkit cache images HOT 2
- Support for structured logging (using `log/slog`) HOT 5
- proposal: Support append images into docker archive HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from image.