Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Attach and sign SBOM to images #1055

Closed
Tracked by #2131
, #116 #754
...
mudler opened this issue Mar 7, 2023 · 5 comments · Fixed by #1226
Closed
Tracked by #2131
, #116 #754
...

🌱 Attach and sign SBOM to images #1055

mudler opened this issue Mar 7, 2023 · 5 comments · Fixed by #1226
Assignees
@mudler
Labels
ci enhancement New feature or request lane/coco

Comments

@mudler
Copy link
Member

mudler commented Mar 7, 2023
edited
Loading

Is your feature request related to a problem? Please describe.
Now that we have a SBOM file, we can attach and sign that with cosign so it is signed along the process, and easily verifiable with the cosign CLI

Describe the solution you'd like
The CI to sign and attach sbom file automatically when signing images.
When we do this, also create a blog post for this explaining how users can see the SBOM of the images, validate the image and the SBOM. Also show how to use grype to generate a security report from it.

Describe alternatives you've considered

Additional context
https://docs.sigstore.dev/cosign/other_types/
@mudler mudler added the enhancement New feature or request label Mar 7, 2023
@mudler mudler self-assigned this Mar 7, 2023
@mudler mudler removed their assignment Mar 7, 2023
This was referenced Mar 7, 2023
Closed
Closed
@Itxaka
Copy link
Member

Itxaka commented Mar 8, 2023

Before signing: cosign attach sbom --sbom SBOM.spdx IMAGE:TAG should make it

@mudler
Copy link
Member Author

mudler commented Mar 8, 2023

that attaches it, we need also to sign it after it was attached:

e.g.

$ cosign sign --key cosign.key gcr.io/$(gcloud config get-value project)/alpine:sha256-e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a.sbom

@Itxaka
Copy link
Member

Itxaka commented Mar 8, 2023

that attaches it, we need also to sign it after it was attached:

e.g.

$ cosign sign --key cosign.key gcr.io/$(gcloud config get-value project)/alpine:sha256-e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a.sbom

yes, sorry, thats what I (tried to) mean, that we need to attach before signing :D

Bit slow this morning ☕

@mudler
Copy link
Member Author

mudler commented Mar 8, 2023

that attaches it, we need also to sign it after it was attached:
e.g.

$ cosign sign --key cosign.key gcr.io/$(gcloud config get-value project)/alpine:sha256-e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a.sbom

yes, sorry, thats what I (tried to) mean, that we need to attach before signing :D

Bit slow this morning coffee

yup no worries, is just for reference for who is picking up this card

This was referenced Mar 8, 2023
Closed
Closed
@jimmykarily jimmykarily moved this from Todo 🖊 to Under review 🔍 in 🧙Issue tracking board Mar 28, 2023
@jimmykarily jimmykarily moved this from Under review 🔍 to Todo 🖊 in 🧙Issue tracking board Mar 28, 2023
@mudler mudler self-assigned this Mar 30, 2023
@mudler mudler moved this from Todo 🖊 to In Progress 🏃 in 🧙Issue tracking board Mar 30, 2023
@mudler mudler mentioned this issue Mar 30, 2023
Merged
@github-project-automation github-project-automation bot moved this from In Progress 🏃 to Done ✅ in 🧙Issue tracking board Mar 30, 2023
@mudler mudler reopened this Mar 30, 2023
@github-project-automation github-project-automation bot moved this from Done ✅ to Under review 🔍 in 🧙Issue tracking board Mar 30, 2023
@mudler
Copy link
Member Author

mudler commented Mar 30, 2023

doesn't really work

mudler added a commit that referenced this issue Mar 31, 2023
@mudler
🤖 Attach and sign SBOM
ae26702 
Attempt to fix: #1228 and #1055
@mudler mudler mentioned this issue Mar 31, 2023
Merged
mudler added a commit that referenced this issue Mar 31, 2023
@mudler
🤖 Attach and sign SBOM
1a3d748 
Attempt to fix: #1228 and #1055

Signed-off-by: mudler <[email protected]>
mudler added a commit that referenced this issue Mar 31, 2023
@mudler
🤖 Attach and sign SBOM (#1235)
8a7f901 
* 🤖 Attach and sign SBOM

Attempt to fix: #1228 and #1055

Signed-off-by: mudler <[email protected]>

* 🤖 Remove bashism, imply that there is a '.sbom' image

Signed-off-by: mudler <[email protected]>

* Enhancements

Signed-off-by: mudler <[email protected]>

---------

Signed-off-by: mudler <[email protected]>
@github-project-automation github-project-automation bot moved this from Under review 🔍 to Done ✅ in 🧙Issue tracking board Apr 3, 2023
@mudler mudler mentioned this issue Jan 10, 2024
Open
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mudler mudler

Labels
ci enhancement New feature or request lane/coco
Projects
🧙Issue tracking board
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🤖 Attach and sign SBOM kairos-io/kairos
3 participants
@Itxaka @mudler @jimmykarily