Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added cosign and provenance generation #425

Merged
merged 2 commits into from
Jan 10, 2024
Merged

added cosign and provenance generation #425

merged 2 commits into from
Jan 10, 2024

Conversation

garethahealy
Copy link
Contributor

Added the ability to generate provenance of how the packaged chart was created by using the GitHub SLSA generator and added the ability to sign the tgz.

tested via this pipeline:

the end result:

if a consumer of the chart, wants to make sure the tgz they've got is the same as the one packaged via the pipeline, they can:

$ brew install rekor-cli
$ rekor-cli get --log-index 60881562 --format json | jq -r '.Body.HashedRekordObj.signature.content'  > jenkins.tgz.sig
$ rekor-cli get --log-index 60881562 --format json | jq -r '.Body.HashedRekordObj.signature.publicKey.content' | base64 -d > pub.crt

$ cosign verify-blob --certificate pub.crt --signature jenkins.tgz.sig --certificate-identity https://github.com/garethahealy/helm-charts/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com jenkins-1.0.13.tgz

cc: @redhat-cop/day-in-the-life

@garethahealy
Copy link
Contributor Author

@sabre1041 ; interested if you've got any feedback on this. i looked at the helm plugin but that didn't seem super active and also required generating pgp keys, which I don't want to have to do as part of this pipeline.

@garethahealy
Copy link
Contributor Author

@ckavili ; happy to have a chat to explain this, if its not clear

@ckavili
Copy link
Contributor

ckavili commented Jan 2, 2024

@ckavili ; happy to have a chat to explain this, if its not clear

I think we are good! I used helm sign... and the plug-in you mentioned before but yeah, I wouldn't want to get into gpg keys as well 🫣🙈 unless Andy has other suggestions, I'd just say maybe we can add the verification part to README for people who are interested in and then we are good🙃

@sabre1041
Copy link
Contributor

@garethahealy the goal of the plugin was to provide a bridge for transparency with the existing signing methods of Helm so it could take advantage of Rekor as well as not be tied to OCI to store charts.

If neither are necessary, simple sigstore/cosign signing is all you need

@eformat
Copy link
Contributor

eformat commented Jan 10, 2024

LGTM .. lets try this out @garethahealy !

@eformat eformat merged commit 45407d9 into redhat-cop:main Jan 10, 2024
3 checks passed
@eformat
Copy link
Contributor

eformat commented Jan 10, 2024

@garethahealy .. think this can be ignored ..

https://github.com/redhat-cop/helm-charts/actions/runs/7481237987/job/20362415933

let me merge a renovate one .. see what happens ...

@eformat
Copy link
Contributor

eformat commented Jan 10, 2024

looks good

-- this merge
https://github.com/redhat-cop/helm-charts/actions/runs/7481278289

-- provenance generator
https://github.com/redhat-cop/helm-charts/actions/runs/7481278289/job/20362563577

-- sigstore entry
https://search.sigstore.dev/?uuid=24296fb24b8ad77a920afa1cc4788e9f180a49cdd2d86bfc57dfa73258269a56e697b68f8fb17b3c

@ckavili
Copy link
Contributor

ckavili commented Jan 10, 2024

ohh very nice! 😍

@eformat
Copy link
Contributor

eformat commented Jan 10, 2024

🥳🎉👯‍♀️

@garethahealy garethahealy mentioned this pull request Jan 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@garethahealy @ckavili @sabre1041 @eformat