Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate cosign signatures if included in images #2257

Open
Racer159 opened this issue Jan 24, 2024 · 1 comment · May be fixed by #2324
Open

Validate cosign signatures if included in images #2257

Racer159 opened this issue Jan 24, 2024 · 1 comment · May be fixed by #2324
Labels
enhancement ✨ New feature or request

Comments

@Racer159
Copy link
Contributor

Is your feature request related to a problem? Please describe.

As Ezra I want to validate cosign signatures on zarf package create so that I can have confidence that they will work correctly before the package goes to the air gap.

Describe the solution you'd like

  • Given I have a package with cosign signatures defined under images
  • When Zarf pulls the signatures and the images to which they relate
  • Then Zarf validates the signatures against the images

Describe alternatives you've considered

We could have a separate process for this (and this will slow down create) but since it will only run when cosign signatures are defined it should be a fine tradeoff since people can opt into the slowdown if they need / want to and if they do it will save them time in the long run since it would be costly to bring an invalid package to the airgap.

Additional context

#475
@Racer159 Racer159 added the enhancement ✨ New feature or request label Jan 24, 2024
@Racer159 Racer159 mentioned this issue Jan 24, 2024
Closed
@waveywaves waveywaves linked a pull request Feb 22, 2024 that will close this issue
Draft
5 tasks
@mjnagel mjnagel mentioned this issue May 9, 2024
Open
@mjnagel
Copy link
Contributor

mjnagel commented May 9, 2024

validate cosign signatures on zarf package create so that I can have confidence that they will work correctly

Want to call out this is more than just "confidence they will work correctly" in the broad sense, but also confidence the image is what I expected (i.e. isn't some maliciously published image, it was published by the build system I expected). There's some valuable supply chain considerations there.

Given I have a package with cosign signatures defined under images

While I think this is a good qualifier for a first pass, it would honestly be great if there were also a way to opt-in to signature validation even if I don't put signatures in images. It shouldn't be significantly more challenging since zarf already has code to find signatures, and in some cases I might just want signatures to be validated at build time and have no need to bring them along with me in my zarf package.

Then Zarf validates the signatures against the images

Worth noting that there are a number of different validation paths with cosign - you may need to pass in a key, skip the tlog, or it might just work (keyless signatures?). Would likely mean we need an additional "config block"/args to specify some of those options, and potentially allow it per registry/repo/image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement ✨ New feature or request
Projects
Zarf
Status: In progress
Zarf Project Board
Status: New
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: validates signatures against the images if they exist in the images spec waveywaves/zarf
2 participants
@Racer159 @mjnagel