[go: up one dir, main page]

CI/scripts: sign and verify released docker images

Charles Nguyenrequested to merge
charlesN@sign-released-docker-images into master

What

Add signing step with Cosign for release Docker images process.

Why

As a resilience aspect against the supply chain attacks, the signature of the Docker images will certify the authenticity of the Docker build steps.

How

  • This MR will add a sign and verify process based on cosign.
  • The keys are automaticaly pregenerated within the project tezos-infra/iac/terraform/tf-gcp-kms.
  • The signing process needs access to the keys using gcloud and a signer GCP service account.
    • The GCP service account is defined within the gitlab-runners' GCP project
    • The authorizations are defined within the KMS' GCP project
  • The CI/CD variables used are:
    • GCP_SIGNER_SERVICE_ACCOUNT: signer service account key file encoded in base64
    • GCP_SIGN_KEY: key used for signing, format: gcpkms://projects/<GCP_PROJECT_CONTAINING_THE_KEY_PAIR>/locations/<LOCATION>/keyRings/<KEYRING_NAME>/cryptoKeys/<KEY_NAME>/versions/<KEY_VERSION>
    • GCP_SIGN_KEY_URL: key URL used for verification https://storage.googleapis.com/nl-prod-sign-keyring/nl-prod-docker-sign-key.pem

Manually testing the MR

As this MR change the release process, it can be tested in https://gitlab.com//tezos/ like https://gitlab.com/nomadic-labs/tezos/:

  • Get the branch and tag the last commit for a blank release
  • Check the jobs oc.docker:amd64 and oc.docker:arm64
  • If everything is correct (signature and verification), we should see:
    • the cosign splash
    • Pushing signature to: <URL>
    • Verification for: <Image digest>
    • the verification message:
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key
[
  {
    "critical": {
      "identity": {
        "docker-reference": "<image>"
      },
      "image": {
        "docker-manifest-digest": "sha256:<digest>"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "<timestamp's signature>",
        "Payload": {
          "body": "<payload>",
          "integratedTime": <time>,
          "logIndex": <logIndex>,
          "logID": "<logId>"
        }
      }
    }
  }
]

Example of succeeded job in nomadic-labs/tezos:

This MR is an implementation of this prototype. Example of a succeeded jobs:

Checklist

  • Document the interface of any function added or modified (see the coding guidelines)
  • Document any change to the user interface, including configuration parameters (see node configuration)
  • Provide automatic testing (see the testing guide).
  • For new features and bug fixes, add an item in the appropriate changelog (docs/protocols/alpha.rst for the protocol and the environment, CHANGES.rst at the root of the repository for everything else).
  • Select suitable reviewers using the Reviewers field below.
  • Select as Assignee the next person who should take action on that MR
Edited by Charles Nguyen

Merge request reports