Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature/security: Implement image signature verification #1143

Merged
merged 7 commits into from
Jan 31, 2025
Merged

feature/security: Implement image signature verification #1143

merged 7 commits into from
Jan 31, 2025

Conversation

willdollman
Copy link
Contributor

@willdollman willdollman commented Jan 28, 2025
edited
Loading

Implement verification of container signatures for release images. This allows customers to easily verify the signatures we started publishing in SEC-2445.

The implementation shares several helper functions with the src sbom fetch command, as both fetch information about releases, talk to our container registries, and use cosign behind the scenes.

The verification process is:

  • Fetch list of images in $release from GCS bucket
  • Fetch our public key from GCS bucket
  • Verify signature of each image at the release tag using cosign verify with our public key
  • Output image digests once they're verified

Digests can then be used or checked against our deployment configs by customers. Customers could also use the sigstore admission controller on their cluster to automate this, but allowing signature verification via src-cli is convenient and a small code change.

Signature verification of a subset of images:

CleanShot 2025-01-28 at 20 40 47

Test plan

  • Tested signature verification locally
  • Verified SBOM fetching still works after changes to helper funcs

@willdollman willdollman self-assigned this Jan 28, 2025
@willdollman willdollman marked this pull request as ready for review January 28, 2025 21:10
@willdollman willdollman requested a review from a team as a code owner January 28, 2025 21:10
@willdollman
Copy link
Contributor Author

golangci-lint setup seems to be failing in CI, but I've run locally and no issues flagged in these changes.

@willdollman willdollman mentioned this pull request Jan 28, 2025
Merged
camdencheek
camdencheek approved these changes Jan 30, 2025
View reviewed changes
Copy link
Member

@camdencheek camdencheek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@willdollman willdollman merged commit 436da91 into main Jan 31, 2025
9 of 10 checks passed
@willdollman willdollman deleted the will/verify-signatures branch January 31, 2025 17:18
willdollman added a commit to sourcegraph/docs that referenced this pull request Feb 5, 2025
@willdollman
Add documentation for verifying container signatures (#931)
f074883 
Add documentation for verifying container signatures using `src
signature verify`, as introduced in
sourcegraph/src-cli#1143.

Also update SBOM documentation to align with the signature verification
docs.

-
https://sourcegraph-docs-git-will-container-6ad7d6-sourcegraph-f8c71130.vercel.app/docs/cli/how-tos/verify_container_signatures
-
https://sourcegraph-docs-git-will-container-6ad7d6-sourcegraph-f8c71130.vercel.app/docs/cli/how-tos/fetch_sboms

## Pull Request approval

You will need to get your PR approved by at least one member of the
Sourcegraph team. For reviews of docs formatting, styles, and component
usage, please tag the docs team via the #docs Slack channel.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@camdencheek camdencheek camdencheek approved these changes

Assignees

@willdollman willdollman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@willdollman @camdencheek