Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TEP-0089] - Phase 2 Signed TaskRun #17

Open
wants to merge 2 commits into
base: spire-phase-1
Choose a base branch
from
Open

[TEP-0089] - Phase 2 Signed TaskRun #17

wants to merge 2 commits into from

Conversation

pxp928
Copy link
Owner

@pxp928 pxp928 commented May 3, 2022
edited
Loading

Signed-off-by: pxp928 parth.psu@gmail.com

Changes

Authors - @pxp928 and @lumjjb

In association with TEP-0089: Non-falsifiable provenance support

This PR is the implementation of Phase 2 of the TEP-0089: Non-falsifiable provenance support

Phase 2

  • Implement Signed TaskRuns with SPIRE
  • Add support for Chains verifying Signed TaskRuns

Continuation of phase 1 of TEP-0089. This PR adds signed TaskRuns by adding an annotation to that TaskRun Status. This only allows for changes from the pipeline controller to be valid. All others interactions will be marked as not valid and fail the spire verification.

Once Tekton Pipeline completes, Chains will run to verify both the TaskRun Results and the TaskRun are validated by Spire. If they do not pass the check, Chains will not sign the TaskRun.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Docs included if any changes are user facing
  • Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been filled in or deleted (only if no user facing changes)

Release Notes

  • Added TaskRun Status annotations to track the validity of the signed TaskRun
  • Utilizes pipeline controller spire SVID, status hash and signature
  • Pipeline controller continuously validates the TaskRun Status for any modifications
  • Tekton Chains will validate the results and status of the TaskRun after completion

Please provide feedback and improvements!

@pxp928 pxp928 changed the title [TEP-0089] - Implement Non-falsifiable provenance support [TEP-0089] - Phase 2 Signed TaskRun May 3, 2022
@pxp928 pxp928 closed this May 3, 2022
@pxp928 pxp928 reopened this May 3, 2022
@pxp928 pxp928 force-pushed the spire-phase-1 branch 3 times, most recently from 00f73a0 to b55a667 Compare May 10, 2022 14:03
@pxp928 pxp928 force-pushed the spire-phase-1 branch 3 times, most recently from e3e93c2 to aae23e4 Compare May 31, 2022 19:35
@pxp928 pxp928 force-pushed the spire-phase-1 branch 5 times, most recently from 289b644 to 792abd4 Compare June 25, 2022 22:03
@pxp928 pxp928 force-pushed the spire-phase-1 branch 4 times, most recently from 7339bef to 13ed6ef Compare July 29, 2022 00:32
@pxp928 pxp928 force-pushed the spire-phase-2 branch 2 times, most recently from 9e43f54 to e3d8140 Compare July 29, 2022 01:17
@pxp928 pxp928 force-pushed the spire-phase-2 branch 5 times, most recently from 4ee4296 to 260f5e2 Compare July 29, 2022 01:39
@pxp928
[TEP-0089] - Phase 1 Signed TaskRun Results
b8b9a06 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
[TEP-0089] - Phase 2 Signed TaskRun
7595257 
Signed-off-by: pxp928 <parth.psu@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pxp928