WIP: Re-implement artifact signing #682

Draft
justusbunsi wants to merge 2 commits from justusbunsi/helm-chart:artifact-signing into main
Member

Description of the change

This re-implements our artifact signing. It had to be disabled in 3265a5ed53, so that we were able to release v10.3.0. This time for both artifacts (tgz file and DockerHub artifact).

Benefits

Improved chain of trust for our users.

Possible drawbacks

Not that I am aware of.

Applicable issues

Additional information

During the release of v10.3.0 I noticed that the previous artifact signing only happened during the release. The generated .prov file was never uploaded to https://dl.gitea.com/charts/, so nobody was able to use it for verification. Additionally, only the tgz file was signed, not the OCI artifact on DockerHub.

I've used the Actions feature to ensure these workflow steps work as expected. The only thing I could not test is the "AWS S3 sync". But I hope™️ that this still works with the new aws-cli package from APK.
The published test artifact can be seen at my own DockerHub profile1. The cosign transparency log entry can be found here: https://search.sigstore.dev/?logIndex=109502702.

Here are example resources to verify the OCI artifact via FluxCD.
---
apiVersion: v1
kind: Secret
metadata:
  name: cosign-public-keys
  namespace: flux-system
type: Opaque
stringData:
  gitea-helm.pub: |
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKg08MzvDxz4jxzQmL3oBUjjYeFfa
    znbq0J+ACqJFeuniXoJslTh2cGrennbzetb5OC3QAO+g+6b/raUB+1k6Jg==
    -----END PUBLIC KEY-----    
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: gitea-helm
  namespace: flux-system
spec:
  url: oci://registry-1.docker.io/justusbunsi/gitea
  interval: 1h
  ref:
    tag: "1.0.0"
  verify:
    provider: cosign
    secretRef:
      name: cosign-public-keys

TODOs

GPG signing key

@techknowlogick @lunny, please check that the referenced GPG key is still valid. If not, renew it please.

Cosign keypair

@techknowlogick @lunny, please generate a cosign key pair using cosign generate-key-pair. You can install cosign with these instructions.

  • The public key should be uploaded to https://dl.gitea.com/charts/ as cosign.pub.
  • The private key must be added as action secret COSIGN_KEY to this repository.
  • The key passphrase must be added as action secret COSIGN_PASSPHRASE to this repository.

Documentation

  • @justusbunsi, this is your own reminder to add instructions where to find the signing keys. 😆

  1. As soon as this PR is merged, I am going to delete this repository to not confuse users. ↩︎

### Description of the change This re-implements our artifact signing. It had to be disabled in 3265a5ed5358b8358dda6b434e773696e39d4ae9, so that we were able to release v10.3.0. This time for both artifacts (tgz file and DockerHub artifact). ### Benefits Improved chain of trust for our users. ### Possible drawbacks Not that I am aware of. ### Applicable issues - fixes #31 ### Additional information During the release of v10.3.0 I noticed that the previous artifact signing only happened during the release. The generated `.prov` file was never uploaded to https://dl.gitea.com/charts/, so nobody was able to use it for verification. Additionally, only the tgz file was signed, not the OCI artifact on DockerHub. I've used the Actions feature to ensure these workflow steps work as expected. The only thing I could not test is the "AWS S3 sync". But I hope™️ that this still works with the new aws-cli package from APK. The published test artifact can be seen at [my own DockerHub profile](https://hub.docker.com/r/justusbunsi/gitea/tags)[^1]. The cosign transparency log entry can be found here: https://search.sigstore.dev/?logIndex=109502702. <details> <summary>Here are example resources to verify the OCI artifact via FluxCD.</summary> ```yaml --- apiVersion: v1 kind: Secret metadata: name: cosign-public-keys namespace: flux-system type: Opaque stringData: gitea-helm.pub: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKg08MzvDxz4jxzQmL3oBUjjYeFfa znbq0J+ACqJFeuniXoJslTh2cGrennbzetb5OC3QAO+g+6b/raUB+1k6Jg== -----END PUBLIC KEY----- --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: OCIRepository metadata: name: gitea-helm namespace: flux-system spec: url: oci://registry-1.docker.io/justusbunsi/gitea interval: 1h ref: tag: "1.0.0" verify: provider: cosign secretRef: name: cosign-public-keys ``` </details> ### TODOs #### GPG signing key @techknowlogick @lunny, please check that the referenced GPG key is still valid. If not, renew it please. - [ ] The public key should be uploaded to https://dl.gitea.com/charts/ as `helm.pub`. #### Cosign keypair @techknowlogick @lunny, please generate a cosign key pair using `cosign generate-key-pair`. You can install cosign [with these instructions](https://docs.sigstore.dev/system_config/installation/#with-the-cosign-binary-or-rpmdpkg-package). - [ ] The public key should be uploaded to https://dl.gitea.com/charts/ as `cosign.pub`. - [ ] The private key must be added as action secret `COSIGN_KEY` to this repository. - [ ] The key passphrase must be added as action secret `COSIGN_PASSPHRASE` to this repository. #### Documentation - [ ] @justusbunsi, this is your own reminder to add instructions where to find the signing keys. 😆 [^1]: As soon as this PR is merged, I am going to delete this repository to not confuse users.
justusbunsi added 1 commit 2024-07-07 19:28:05 +00:00
Re-implement artifact signing
All checks were successful
check-and-test / check-and-test (pull_request) Successful in 37s
bba90bb07b
Signed-off-by: justusbunsi <sk.bunsenbrenner@gmail.com>
justusbunsi requested review from pat-s 2024-07-07 19:28:22 +00:00
justusbunsi added the
kind
build
label 2024-07-07 19:32:26 +00:00
Owner

GPG signing key has been updated. I haven't used cosign generate-key-pair. I will try it later.

`GPG signing key` has been updated. I haven't used `cosign generate-key-pair`. I will try it later.
Author
Member

@lunny, do you need help with the keys?

@lunny, do you need help with the keys?
Member
ping @lunny @techknowlogick
justusbunsi added 1 commit 2024-07-21 11:49:38 +00:00
Merge remote-tracking branch 'upstream/main' into artifact-signing
All checks were successful
check-and-test / check-and-test (pull_request) Successful in 36s
4fa2082846
Author
Member

@lunny @techknowlogick, is there anything I can help to get your TODOs done?

@lunny @techknowlogick, is there anything I can help to get your TODOs done?
Member

@techknowlogick @lunny We depend on you for this task. Would be great if you could let us know if you have it on your list 🙂

@techknowlogick @lunny We depend on you for this task. Would be great if you could let us know if you have it on your list 🙂️
All checks were successful
check-and-test / check-and-test (pull_request) Successful in 36s
Required
Details
This pull request is marked as a work in progress.
This branch is out-of-date with the base branch

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u artifact-signing:justusbunsi-artifact-signing
git checkout justusbunsi-artifact-signing
Sign in to join this conversation.
No description provided.