-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
keyless releases via workload identities and transparency log support #157
Conversation
fe35c0b
to
7ce868b
Compare
I have updated the PR a little bit and I have added signatures via cosign. How does this work:
You need the following two variables:
I am aware that giving github access to both isn't the best solution, but it is the best I came up with. EDIT: The alternative would involve manual builds + releases (this would violate SLSA level 1, iirc). |
If you want to see how this looks like. You can have a look on my in-toto-golang fork: https://github.com/shibumi/in-toto-golang/actions/runs/1280062339 Goreleaser will also automatically create a github changelog for you based on the commits. I suggest using conventional commits: https://www.conventionalcommits.org/en/v1.0.0/ |
One last addition: The release pipeline will only be triggered if:
The release will fail if the two github secrets (mentioned above) are missing. EDIT: Github does not allow pushing tags via PR.. so there will be never a release being scheduled by a malicious PR. |
Amazing, thanks @shibumi! Now we have to figure out how to best generate and upload the key... |
Generating a keypair works via: |
WDYT about generating this key in the same place it will be used: GitHub Actions itself? As a one-time, manually-run job, ofc. |
This would work, as well. In that case you would need to add the generated cosign.pub key to the release artifacts. Otherwise it would be pointless to sign it if you have nothing to validate the signature with. |
Easily done, no? |
@trishankatdatadog I thought about this a while. Do you know how the 'randomness' inside of Github Action VMs looks like? I had a proper look on cosign and it would be possible to generate a new key-pair for every PR run:
Do you have something 'bigger' in your mind? :)
It is not rocket science.. this is doable yes. The question is if it's a good idea. To be honest: I don't know. |
That's hilarious. A throwaway signing key for every release. Can't we just use Fulcio? Is it in production yet? @asraa |
Ah okay. My apologies :D looks like I misunderstood what you mean. Let me have a look on Fulcio ( I never used it before). |
Don't get me wrong: I don't think it's a bad idea... |
There are two blockers with fulcio:
We could freeze this PR for a while and wait. @dlorenc mentioned on twitter that the certificate transparency features will be production ready soonish... maybe this does apply to signing via fulcio, too?! |
FYI: I have experimented with cosign and github actions workload identities a little bit. My newest in-toto-golang PR (in-toto/in-toto-golang#128) showcases signatures via OIDC-Issuer and transparency logs in rekor. The only part what is missing now:
|
7ce868b
to
0091d8d
Compare
Pull Request Test Coverage Report for Build 1646963318
💛 - Coveralls |
Thanks for continuing to make progress on this! |
@trishankatdatadog @asraa short update on this PR: I have done the following changes:
A few open topics to discuss:
|
0091d8d
to
8ae8b86
Compare
Updated: New cosign version: v1.4.1 Experimental mode is still needed. According to Dan, we might have a cosign release without it with version >= v.1.5.0 |
8ae8b86
to
01f8c38
Compare
01f8c38
to
926a3bb
Compare
0dd82d7
to
720e773
Compare
I have updated this PR:
|
dca6553
to
f6c9268
Compare
This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance
f6c9268
to
6b724ae
Compare
sboms: | ||
- artifacts: archive | ||
signs: | ||
- cmd: cosign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we can move the COSIGN_EXPERIMENTAL environment variable over here under the env property of the sign section, WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean in the goreleaser files instead of the github action workflow file? Do you know how? Can you provide a gist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
of course, let me clarify this example:
run: go vet ./... | ||
- name: Install staticcheck | ||
run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2" | ||
- name: Run staticcheck |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can use golangci-lint tool instead of these lines, WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that makes sense. These lines are migrated from the old build workflow.. @asraa @trishankatdatadog are you fine with using golangci-lint instead of staticcheck (golangci-lint calls staticcheck, but can do more).
Closed by #234. Thanks for your hard work, @shibumi and @developer-guy! |
Inspired by my in-toto-golang goreleaser build I played a little bit with a similar workflow for go-tuf.
This PR is work in progress.
What works already:
What is missing:
This PR does only make sense if go-tuf has a release cycle. Are there any plans for cutting a new release or releases at all?