Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement container image attestations #1035

Open
almet opened this issue Dec 17, 2024 · 0 comments · May be fixed by #1086
Open

Implement container image attestations #1035

almet opened this issue Dec 17, 2024 · 0 comments · May be fixed by #1086
Labels
icu Issues related with independent container updates
Milestone
0.10.0

Comments

@almet
Copy link
Member

almet commented Dec 17, 2024

Attestations are ways to attest the provenance of the image. Here is an example of an attestation (processed by GitHub).

In our case, we want to ensure that these fields are the expected ones:

Field Value
Source Repository URI https://github.com/freedomofpress/dangerzone
Runner Environment github-hosted
Build Signer URI https://github.com/freedomofpress/dangerzone/.github/workflows/release-container-image.yml*

Note

Cosign Bundle Specification
Multiple formats exist to attach the attestations to a container registry. We are following the format and mechanism described by the Cosign Bundle Spec

Here is an example implementation of publishing images with their attestations via Github Actions, and for manual steps to verify the validity of the attestation.
@almet almet added this to the 0.9.0 milestone Dec 17, 2024
@almet almet changed the title Implement attestations Implement container image attestations Dec 17, 2024
@almet almet linked a pull request Dec 17, 2024 that will close this issue
Publish image attestations #1017
Closed
@almet almet moved this from Todo to In Progress in Dangerzone ✨ Dec 19, 2024
@apyrgio apyrgio added the icu Issues related with independent container updates label Dec 19, 2024
@apyrgio apyrgio mentioned this issue Dec 19, 2024
Open
@almet almet mentioned this issue Jan 30, 2025
Closed
@apyrgio apyrgio mentioned this issue Feb 7, 2025
Open
@almet almet mentioned this issue Feb 11, 2025
Open
9 tasks
apyrgio added a commit that referenced this issue Feb 26, 2025
@apyrgio
ci: Create a CI job that does the following
ce93538 
1. Create a multi-architecture container image for Dangerzone, instead
   of having two different tarballs (or no option at all)
2. Build the Dangerzone container image on our supported architectures
   (linux/amd64 and linux/arm64). It so happens that GitHub also offers
   ARM machine runners, which speeds up the build.
3. Combine the images from these two architectures into one, multi-arch
   image.
4. Generate provenance info for each manifest, and the root manifest
   list.
5. Check the image's reproduciblity.

Also, remove an older CI action, that is now obsolete.

Fixes #1035
@apyrgio apyrgio linked a pull request Feb 26, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
icu Issues related with independent container updates
Projects
Dangerzone ✨
Status: In Progress
Milestone
0.10.0
2 participants
@almet @apyrgio