Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign image and attach SBOM attestion #12

Merged
merged 4 commits into from
Dec 4, 2023
Merged

Sign image and attach SBOM attestion #12

merged 4 commits into from
Dec 4, 2023

Conversation

michaelsauter
Copy link
Member

Closes #11.

@michaelsauter michaelsauter requested a review from henrjk November 23, 2023 13:32
@michaelsauter michaelsauter self-assigned this Nov 23, 2023
henrjk
henrjk reviewed Dec 1, 2023
View reviewed changes
Copy link
Member

@henrjk henrjk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cosign seems like a good choice to me.
Perhaps we can enable using Fulcio and Rekor as well. I left a few comments to that end; hope they help a bit ;-)
I think this could also be merged as is!

cmd/package-image/cosign.go
}

func (c *CosignClient) commonArgs(imageRef string) []string {
args := []string{"--tlog-upload=false", "--key", c.key}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps it would be worthwhile to also allow using a custom rekor URL so one could run a private rekor instance.
If we would make the rekor url a parameter one could by default have it empty meaning it is not used. A special value could be used for not disabling using rekor and instead use it's default URL.

cmd/package-image/main.go
@@ -88,6 +91,7 @@ var defaultOptions = options{
buildahBuildExtraArgs: "",
buildahPushExtraArgs: "",
trivySBOMExtraArgs: "",
cosignKey: "",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should cosignExtraArgs be added to facilitate experimentation?

@michaelsauter
Copy link
Member Author

Awesome, thanks for the feedback. I basically agree to all your mentioned points. However, they all can be added later on without breaking the current behaviour. Therefore I am going to merge this now, and when the need arises we can build on top of it.

@michaelsauter michaelsauter merged commit 8214892 into main Dec 4, 2023
1 check passed
@michaelsauter michaelsauter deleted the feature/sign-image branch December 4, 2023 07:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@henrjk henrjk henrjk left review comments

Assignees

@michaelsauter michaelsauter

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(Optionally) sign image
2 participants
@michaelsauter @henrjk