Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: adds cosign support #341

Open
wants to merge 9 commits into
base: master
Choose a base branch
from

Conversation

ChrisJBurns
Copy link

@ChrisJBurns ChrisJBurns commented Jun 6, 2023

Currently, Content Trust is a feature offered by the registry-image-resource, but the gold standard for image signing now is using (if it isn't already) Cosign. This PR implements the functionality to sign images with Cosign. Currently, although it is possible using SignCmd, Cosign is a CLI first - meaning using it as a library in code can be a little less than ideal. This results in large number of config objects having to be passed into the SignCmd due to the fact that there is no CLI framework setting the default values.

When Cosign becomes more and more usable as a library, the code in this PR can be reduced. This includes, the way we have to set a temporary environment variable for COSIGN_KEY and COSIGN_PASSWORD until these are values that can be more easily passed into the Cosign code. Another one is the Keychain. Currently, Cosign works that if you have a docker config JSON file with registries and auth configured for them in a local cred store, Cosign will just use them via the go-containerregistry libary. Due to security reasons, we don't want to have to put the credentials in a file in the registry-image-resource task as any developer that intercepts the container can easily view those credentials. Instead we use an InMemoryKeychain that the underlying Cosign/go-containerregsitry libraries will pick up and use for the pushing of signatures to the registry.

implements: #329

@ChrisJBurns ChrisJBurns force-pushed the adds-cosign-support branch from f48bf60 to 28317a1 Compare June 6, 2023 10:57
@pidster
Copy link

pidster commented Jun 6, 2023

This would be really useful.

@PapaAAnthony
Copy link

looks good, can confirm would be a very useful feature for us to have.

Signed-off-by: ChrisJBurns <[email protected]>
Copy link
Member

@taylorsilva taylorsilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR Chris! Sorry for the long delay in taking a look at it.

I'm noticing there are no tests for this feature. We'd need some tests before merging this in: https://github.com/concourse/registry-image-resource/blob/master/out_test.go

@ChrisJBurns
Copy link
Author

ChrisJBurns commented Apr 10, 2024

Thanks @taylorsilva , I'll get those added 👍!

@ChrisJBurns
Copy link
Author

@taylorsilva

I've added a test but I'm not entirely sure if there's a way to test if the time has been signed as there is no response, only an error. So I've just asserted that there is no error that comes back for that test. Wondering what other thoughts you had?

Signed-off-by: ChrisJBurns <[email protected]>
Copy link
Member

@taylorsilva taylorsilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this is looking good. I made a suggestion for the test, let me know what you think.

I left a bunch of code-style related comments. My intention behind those comments is to keep the coding style within the code-base consistent.

I noticed the README hasn't been updated with the new cosign field. Could you please update the table with a new row describing which fields in cosign are required/optional. Not sure if the cosign field should live in the main Source or in PutParams instead. I left a comment below about that as well. Would someone want to use cosign in the get step? If they would, then it makes sense to leave Cosign in the Source struct.

Thanks again for the PR and making the changes you've made so far! Next review will go faster now that I've actually read all the code :)

types.go Show resolved Hide resolved
commands/out.go Outdated Show resolved Hide resolved
commands/out.go Outdated Show resolved Hide resolved
commands/out.go Outdated Show resolved Hide resolved
commands/out.go Outdated Show resolved Hide resolved
commands/out.go Outdated Show resolved Hide resolved
commands/out.go Outdated Show resolved Hide resolved
commands/out.go Outdated Show resolved Hide resolved
commands/out.go Outdated Show resolved Hide resolved
out_test.go Outdated Show resolved Hide resolved
@taylorsilva
Copy link
Member

The out test is failing:
image

Slightly more detailed error:
image

actualErr is just the `error` type returned by the out command in Go. We
want what was output to stderr, which is what actualErrOutput is

Signed-off-by: Taylor Silva <[email protected]>
Signed-off-by: Taylor Silva <[email protected]>
@taylorsilva
Copy link
Member

Made a small fix to the test. Looks like the image isn't being signed though as we're not seeing any of the info log lines output:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants