From 61475791a952b29ffb94a9ff196e85dfdf479740 Mon Sep 17 00:00:00 2001 From: Chris Porter Date: Fri, 4 Oct 2024 22:33:08 +0000 Subject: [PATCH] Codify the creation of test containers Signed-off-by: Chris Porter --- .github/workflows/garm-docker-image.yaml | 37 ---- .github/workflows/porter-gha-testing.yaml | 191 ++++++++++++++++++ container-images/Makefile | 118 +++++++++++ .../configs/ocicrypt-simplekbs.conf | 5 + container-images/configs/ocicrypt.conf | 5 + .../dockerfiles/alpine-with-sshd/Dockerfile | 21 ++ .../dockerfiles/alpine-with-sshd/README.md | 65 ++++++ .../dockerfiles/busybox/Dockerfile | 3 + container-images/keys/encrypt/key1 | 1 + container-images/keys/sign/README.md | 64 ++++++ container-images/keys/sign/cosign.key | 11 + container-images/keys/sign/cosign.pub | 4 + .../keys/sign/git-runner-password.txt | 1 + container-images/keys/sign/github-runner.keys | Bin 0 -> 3772 bytes container-images/keys/ssh/ccv0-ssh | 7 + container-images/keys/ssh/ccv0-ssh.pub | 1 + .../keys/ssh/ssh_host_ed25519_key | 7 + .../keys/ssh/ssh_host_ed25519_key.pub | 1 + container-images/scripts/make-cosign-sig.exp | 16 ++ 19 files changed, 521 insertions(+), 37 deletions(-) delete mode 100644 .github/workflows/garm-docker-image.yaml create mode 100644 .github/workflows/porter-gha-testing.yaml create mode 100644 container-images/Makefile create mode 100644 container-images/configs/ocicrypt-simplekbs.conf create mode 100644 container-images/configs/ocicrypt.conf create mode 100644 container-images/dockerfiles/alpine-with-sshd/Dockerfile create mode 100644 container-images/dockerfiles/alpine-with-sshd/README.md create mode 100644 container-images/dockerfiles/busybox/Dockerfile create mode 100644 container-images/keys/encrypt/key1 create mode 100644 container-images/keys/sign/README.md create mode 100644 container-images/keys/sign/cosign.key create mode 100644 container-images/keys/sign/cosign.pub create mode 100644 container-images/keys/sign/git-runner-password.txt create mode 100644 container-images/keys/sign/github-runner.keys create mode 100644 container-images/keys/ssh/ccv0-ssh create mode 100644 container-images/keys/ssh/ccv0-ssh.pub create mode 100644 container-images/keys/ssh/ssh_host_ed25519_key create mode 100644 container-images/keys/ssh/ssh_host_ed25519_key.pub create mode 100755 container-images/scripts/make-cosign-sig.exp diff --git a/.github/workflows/garm-docker-image.yaml b/.github/workflows/garm-docker-image.yaml deleted file mode 100644 index d3ff31f..0000000 --- a/.github/workflows/garm-docker-image.yaml +++ /dev/null @@ -1,37 +0,0 @@ -name: Build and push garm docker image -on: workflow_dispatch - -jobs: - Build-and-Push-Image: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - env: - REGISTRY: ghcr.io - IMAGE_NAME: confidential-containers/garm - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Log in to the Container registry - uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - - name: Build and push Docker image - uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 - with: - context: ./github/azure-self-hosted-runners - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/porter-gha-testing.yaml b/.github/workflows/porter-gha-testing.yaml new file mode 100644 index 0000000..885cc12 --- /dev/null +++ b/.github/workflows/porter-gha-testing.yaml @@ -0,0 +1,191 @@ +name: Porter GHA Testing +run-name: ${{ github.actor }} is doing the porter GHA testing +on: [push] +jobs: + Explore-GitHub-Actions: + env: + RUSTC_VERSION: 1.72.0 + #runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 + #runs-on: self-hosted + + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Check out guest-components + uses: actions/checkout@v4 + with: + repository: confidential-containers/guest-components + ref: refs/heads/main + path: ./guest-components + - name: Install Protoc + uses: arduino/setup-protoc@v3 + - name: Import github@runner.com key + working-directory: container-images + run: gpg --batch --import keys/sign/github-runner.keys + - name: Install expect + run: sudo apt-get install -y expect + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: "v2.4.1" + - name: Log in to ghcr + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + # 0. all + - name: Make all + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + run: | + cd guest-components/attestation-agent/coco_keyprovider + cargo build --release + RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 & + cd ../../../container-images + echo "Waiting for coco-keyprovider on localhost:50000" + timeout_count=1 + while ! nc -z localhost 50000; do + timeout_count=$((timeout_count+1)) + sleep 1 + if [ $timeout_count == 5 ]; then + echo "ERROR: Timed out. Exiting." + exit 1 + fi + done + echo "coco-keyprovider is ready" + make all + ## 1. unsig (works) + #- name: Make unsig + # working-directory: container-images + # run: make unsig + ## 2. cosign-sig (works) + #- name: Make cosign-sig + # working-directory: container-images + # env: + # COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + # run: make cosign-sig + ## 3. simple-sig (works) + #- name: Make simple-sig + # working-directory: container-images + # run: make simple-sig + ## 4. enc-unsig (works) + #- name: Launch coco-keyprovider and make enc-unsig + # run: | + # cd guest-components/attestation-agent/coco_keyprovider + # cargo build --release + # RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 & + # cd ../../../container-images + # echo "Waiting for coco-keyprovider on localhost:50000" + # timeout_count=1 + # while ! nc -z localhost 50000; do + # timeout_count=$((timeout_count+1)) + # sleep 1 + # if [ $timeout_count == 5 ]; then + # echo "ERROR: Timed out. Exiting." + # exit 1 + # fi + # done + # echo "coco-keyprovider is ready" + # make enc-unsig + ## 5. enc-cosign-sig (works) + #- name: Launch coco-keyprovider and make enc-cosign-sig + # run: | + # cd guest-components/attestation-agent/coco_keyprovider + # cargo build --release + # RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 & + # cd ../../../container-images + # echo "Waiting for coco-keyprovider on localhost:50000" + # timeout_count=1 + # while ! nc -z localhost 50000; do + # timeout_count=$((timeout_count+1)) + # sleep 1 + # if [ $timeout_count == 5 ]; then + # echo "ERROR: Timed out. Exiting." + # exit 1 + # fi + # done + # echo "coco-keyprovider is ready" + # make enc-cosign-sig + ## 6. test-container-unencrypted (works) + #- name: Make test-container-unencrypted + # working-directory: container-images + # run: make test-container-unencrypted + ## 7. test-container-encrypted (works) + #- name: Make test-container-encrypted + # run: | + # cd guest-components/attestation-agent/coco_keyprovider + # cargo build --release + # RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 & + # cd ../../../container-images + # echo "Waiting for coco-keyprovider on localhost:50000" + # timeout_count=1 + # while ! nc -z localhost 50000; do + # timeout_count=$((timeout_count+1)) + # sleep 1 + # if [ $timeout_count == 5 ]; then + # echo "ERROR: Timed out. Exiting." + # exit 1 + # fi + # done + # echo "coco-keyprovider is ready" + # make test-container-encrypted + ## 8. busybox (works) + #- name: Make busybox + # working-directory: container-images + # run: make busybox + # + # + # + # + # + # + # + # + # + # + # + #- name: runc version check + # run: | + # runc --version + #- name: Basic echo and docker version + # run: | + # echo "Start 1" + # docker --version + # echo "End" + #- name: Check if gcc is here + # run: | + # gcc -dumpmachine + #- name: What is my whatever + # run: | + # which clang + #- name: build main.c + # working-directory: try-static-link + # run: | + # gcc main.c + # ldd a.out + #- name: build main.c with static link + # working-directory: try-static-link + # run: | + # gcc -static main.c + # ldd a.out + #- name: Check for oras + # run: | + # oras --help + #- name: Check for rustc + # run: | + # rustc --version + #- name: Check gpg + # run: | + # gpg --version + #- name: Rust toolchain installation + # uses: actions-rs/toolchain@v1 + # with: + # profile: minimal + # toolchain: ${{ env.RUSTC_VERSION }} + # override: true + # components: rustfmt, clippy + # target: x86_64-unknown-linux-gnu + #- name: Check for nc + # run: nc -h diff --git a/container-images/Makefile b/container-images/Makefile new file mode 100644 index 0000000..fba0123 --- /dev/null +++ b/container-images/Makefile @@ -0,0 +1,118 @@ +# +# This makefile's targets rebuild various container images that can be used +# for development and testing in the CoCo project. +# They also are intended to serve as an up-to-date reference for creating +# new images. +# +# Note: The targets push to ghcr, which requires proper credentials and +# `docker login`. +# + +.PHONY: unsig \ +cosign-sig \ +simple-sig \ +enc-unsig \ +enc-cosign-sig \ +test-container-unencrypted \ +test-container-encrypted \ +busybox + +SHELL=/bin/bash + + +# FIXME need to choose sane package URLs/names/tags +COCO_PKG=confidential-containers/test-container +COCO_PKG_IMGRS=confidential-cointainers/test-container-image-rs + + + +all: \ + unsig \ + cosign-sig \ + simple-sig \ + enc-unsig \ + enc-cosign-sig \ + test-container-unencrypted \ + test-container-encrypted \ + busybox + + + +unsig: + docker build \ + -t ghcr.io/$(COCO_PKG):unsig \ + -f dockerfiles/alpine-with-sshd/Dockerfile \ + . + docker push ghcr.io/$(COCO_PKG):unsig + + +cosign-sig: + docker build \ + -t ghcr.io/$(COCO_PKG):cosign-sig \ + -f dockerfiles/alpine-with-sshd/Dockerfile \ + . + docker push ghcr.io/$(COCO_PKG):cosign-sig + # FIXME Replace expect script with something better + ${CURDIR}/scripts/make-cosign-sig.exp $(COCO_PKG) cosign-sig + + +# NOTE: This depends on a gpg key owned by git@runner.com. +# That is, before issuing this make target, have to do something like: +# $ gpg --batch --import ./keys/sign/github-runner.keys +simple-sig: + skopeo \ + copy \ + --debug \ + --insecure-policy \ + --sign-by git@runner.com \ + --sign-passphrase-file $(shell pwd)/keys/sign/git-runner-password.txt \ + docker-daemon:ghcr.io/$(COCO_PKG):unsig \ + docker://ghcr.io/$(COCO_PKG):simple-sig + + +# NOTE: This requires coco-keyprovider running from guest-components... +# That is, before issuing this make target, have to do something like: +# $ cd guest-components/attestation-agent/coco_keyprovider +# $ RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 +enc-unsig: unsig + OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \ + skopeo copy \ + --insecure-policy \ + --encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \ + docker-daemon:ghcr.io/$(COCO_PKG):unsig \ + docker://ghcr.io/$(COCO_PKG):enc-unsig + + +# NOTE: see enc-unsig about coco-keyprovider +# NOTE: see cosign-sig about replacing expect script +enc-cosign-sig: cosign-sig + OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \ + skopeo copy \ + --insecure-policy \ + --encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \ + docker-daemon:ghcr.io/$(COCO_PKG):cosign-sig \ + docker://ghcr.io/$(COCO_PKG):enc-cosign-sig + ./scripts/make-cosign-sig.exp $(COCO_PKG) enc-cosign-sig + + +test-container-unencrypted: + docker build \ + -t ghcr.io/$(COCO_PKG):unencrypted \ + -f dockerfiles/alpine-with-sshd/Dockerfile \ + . + docker push ghcr.io/$(COCO_PKG):unencrypted + + +# NOTE: see enc-unsig about coco-keyprovider +test-container-encrypted: test-container-unencrypted + OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \ + skopeo copy \ + --insecure-policy \ + --encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \ + docker-daemon:ghcr.io/$(COCO_PKG):unencrypted \ + docker://ghcr.io/$(COCO_PKG):encrypted + + +busybox: + docker build -t ghcr.io/$(COCO_PKG_IMGRS):busybox dockerfiles/busybox + docker push ghcr.io/$(COCO_PKG_IMGRS):busybox diff --git a/container-images/configs/ocicrypt-simplekbs.conf b/container-images/configs/ocicrypt-simplekbs.conf new file mode 100644 index 0000000..f2870e8 --- /dev/null +++ b/container-images/configs/ocicrypt-simplekbs.conf @@ -0,0 +1,5 @@ +{ + "key-providers": { + "attestation-agent": { + "grpc": "127.0.0.1:44444" +}}} diff --git a/container-images/configs/ocicrypt.conf b/container-images/configs/ocicrypt.conf new file mode 100644 index 0000000..52bc66d --- /dev/null +++ b/container-images/configs/ocicrypt.conf @@ -0,0 +1,5 @@ +{ + "key-providers": { + "attestation-agent": { + "grpc": "127.0.0.1:50000" +}}} diff --git a/container-images/dockerfiles/alpine-with-sshd/Dockerfile b/container-images/dockerfiles/alpine-with-sshd/Dockerfile new file mode 100644 index 0000000..aefa66e --- /dev/null +++ b/container-images/dockerfiles/alpine-with-sshd/Dockerfile @@ -0,0 +1,21 @@ +FROM alpine:3.14 +RUN apk update && apk upgrade && apk add openssh-server + +# Use the ssh-demo image's legacy keys. To generate new ones, can do something +# like: +# RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -P "" +COPY keys/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key +COPY keys/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_ed25519_key.pub + +# A password needs to be set for login to work. An empty password is +# unproblematic as password-based login to root is not allowed. +RUN passwd -d root + +# Use the ssh-demo user/client's legacy keys. To generate new ones, can do +# something like: +# $ ssh-keygen -t ed25519 -f ccv0-ssh -P "" -C ""` +COPY keys/ssh/ccv0-ssh.pub /root/.ssh/authorized_keys +ENTRYPOINT /usr/sbin/sshd -D + +# Can connect to the running container with something like: +# $ ssh -i keys/ssh/ccv0-ssh root@ diff --git a/container-images/dockerfiles/alpine-with-sshd/README.md b/container-images/dockerfiles/alpine-with-sshd/README.md new file mode 100644 index 0000000..e08cee4 --- /dev/null +++ b/container-images/dockerfiles/alpine-with-sshd/README.md @@ -0,0 +1,65 @@ +# SSH demo + +To demonstrate confidential containers capabilities, we run a pod with SSH public key authentication. + +Compared to the execution of and login to a shell on a pod, an SSH connection is cryptographically secured and requires a private key. +It cannot be established by unauthorized parties, such as someone who controls the node. +The container image contains the SSH host key that can be used for impersonating the host we will connect to. +Because this container image is encrypted, and the key to decrypting this image is only provided in measurable ways (e.g. attestation or encrypted initrd), and because the pod/guest memory is protected, even someone who controls the node cannot steal this key. + +## Using a pre-provided container image + +If you would rather build the image with your own keys, skip to [Building the container image](#building-the-container-image). +The [operator](/demos/operator-demo) can be used to set up a compatible runtime. + +A demo image is provided at [docker.io/katadocker/ccv0-ssh](https://hub.docker.com/r/katadocker/ccv0-ssh). +It is encrypted with [Attestation Agent](https://github.com/confidential-containers/attestation-agent)'s [offline file system key broker](https://github.com/confidential-containers/attestation-agent/tree/64c12fbecfe90ba974d5fe4896bf997308df298d/src/kbc_modules/offline_fs_kbc) and [`aa-offline_fs_kbc-keys.json`](./aa-offline_fs_kbc-keys.json) as its key file. +The private key for establishing an SSH connection to this container is given in [`ccv0-ssh`](./ccv0-ssh). +To use it with SSH, its permissions should be adjusted: `chmod 600 ccv0-ssh`. +The host key fingerprint is `SHA256:wK7uOpqpYQczcgV00fGCh+X97sJL3f6G1Ku4rvlwtR0`. + +All keys shown here are for demonstration purposes. +To achieve actually confidential containers, use a hardware trusted execution environment and **do not** reuse these keys. + +Continue at [Connecting to the guest](#connecting-to-the-guest). + +## Building the container image + +The image built should be encrypted. +To receive a decryption key at run time, the Confidential Containers project utilizes the [Attestation Agent](https://github.com/confidential-containers/attestation-agent). + +### Generating SSH keys + +```sh +$ ssh-keygen -t ed25519 -f ccv0-ssh -P "" -C "" +``` + +generates an SSH key `ccv0-ssh` and the correspondent public key `ccv0-ssh.pub`. + +### Building the image + +The provided [`Dockerfile`](./Dockerfile) expects `ccv0-sh.pub` to exist. +Using Docker, you can build with + +```sh +$ docker build -t ccv0-ssh . +``` + +Alternatively, Buildah can be used (`buildah build` or formerly `buildah bud`). +The SSH host key fingerprint is displayed during the build. + +## Connecting to the guest + +A [Kubernetes YAML file](./k8s-cc-ssh.yaml) specifying the [`kata`](https://github.com/kata-containers/kata-containers) runtime is included. +If you use a [self-built image](#building-the-container-image), you should replace the image specification with the image you built. +The default tag points to an `amd64` image, an `s390x` tag is also available. +With common CNI setups, on the same host, with the service running, you can connect via SSH with + +```sh +$ ssh -i ccv0-ssh root@$(kubectl get service ccv0-ssh -o jsonpath="{.spec.clusterIP}") +``` + +You will be prompted about whether the host key fingerprint is correct. +This fingerprint should match the one specified above/displayed in the Docker build. + +`crictl`-compatible [sandbox](./cri-sandbox-config.yaml) and [container](./cri-container-config.yaml) configurations are also included, which forward the pod SSH port (22) to 2222 on the host (use the `-p` flag in SSH). diff --git a/container-images/dockerfiles/busybox/Dockerfile b/container-images/dockerfiles/busybox/Dockerfile new file mode 100644 index 0000000..5f1b2db --- /dev/null +++ b/container-images/dockerfiles/busybox/Dockerfile @@ -0,0 +1,3 @@ +FROM busybox:1.36 + +CMD ["sh"] diff --git a/container-images/keys/encrypt/key1 b/container-images/keys/encrypt/key1 new file mode 100644 index 0000000..143d8f4 --- /dev/null +++ b/container-images/keys/encrypt/key1 @@ -0,0 +1 @@ +0����r���Z�OR��U���C<�c�\�B \ No newline at end of file diff --git a/container-images/keys/sign/README.md b/container-images/keys/sign/README.md new file mode 100644 index 0000000..4c68264 --- /dev/null +++ b/container-images/keys/sign/README.md @@ -0,0 +1,64 @@ +# README + + +## For cosign +Keys are generated with something like: + $ COSIGN_PASSWORD=just1testing2password3 cosign generate-key-pair + +Then upload them manually to the github repo's secrets. Name them like so: + COSIGN_PASSWORD + COSIGN_PRIVATE_KEY + COSIGN_PUBLIC_KEY + +Also a good tutorial is here, though the approach is a little more autoamted +and has a keener eye towards real-world usage: + https://dev.to/n3wt0n/sign-your-container-images-with-cosign-github-actions-and-github-container-registry-3mni +The key-generation step would be more like the following, which automatically +uploads the public key, private key, and key secret to the github repo: + $ GITHUB_TOKEN=ghp_... \ + COSIGN_PASSWORD=just1testing2password3 \ + cosign generate-key-pair github://portersrc/infra +This may be a better realistic case, but it puts the private key in a github +secret, and I want to just keep it open and readable in the infra repo for +testing purposes. + + + + + + + +## For "simple signing" (i.e. with gpg) +The first step was to generate a key. Choose the default options for these +purposes. The command is: + $ gpg --full-generate-key +It has some prompts. The user for testing purposes is: + Github Runner + git@runner.com +Password: + just1testing2password3 + + +Then we exported it. The --export-secret-key option is sufficient for +exporting both the secret and public key. Example command: + $ gpg --export-secret-key F63DB2A1AB7C7F195F698C9ED9582CADF7FBCC5D &> github-runner.keys + +This is all that was needed (in addition to creating a .txt file with +the password to make automation with skopeo testing easy). + +The CI will import the key (using --batch to avoid typing the password): + $ gpg --batch --import github-runner.keys + + +Other helpful commands... +List public and secret keys: + $ gpg --list-keys + $ gpg --list-secret-keys + +Example of deleting a key (must first delete the secret one first, then the +public one): + $ gpg --delete-secret-keys F63DB2A1AB7C7F195F698C9ED9582CADF7FBCC5D + $ gpg --delete-keys F63DB2A1AB7C7F195F698C9ED9582CADF7FBCC5D + + + diff --git a/container-images/keys/sign/cosign.key b/container-images/keys/sign/cosign.key new file mode 100644 index 0000000..1785a96 --- /dev/null +++ b/container-images/keys/sign/cosign.key @@ -0,0 +1,11 @@ +-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 +OCwicCI6MX0sInNhbHQiOiJYc083MWhFYVZEMEdMdDh3Q0ZmTU9ybmxKb0RQMG90 +dGY5bnJmTlZJbXVnPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJlWlZDRGI0c0RMT1NzWnZ1QjV0WjAwVjhBMkorV3gvQSJ9LCJj +aXBoZXJ0ZXh0IjoiSlhLOXFUZzNJaFlMNkd0MG9qekpyUkQ0ZXRjUkh0RmZmYUJB +L3VmZDFUNFVXQVphcytmR0NGNjFQQnlVTDljTTdONzl2MUIrSDhtd0FhZmYycUVj +S0RUM3hSYTMwcU9ET29uQUQ0WnRGT1h5K3Zwd0xkcThjT2JkQTZBUVdSREpFZzlL +ak1zUjZXNVRuSk9xL0ZHc1g2a2QzbjZNbnlZM2ptaXY1V0sveGVJeUdUVUJhVVJM +V1o2MmdWeHlCTzhtNzZRaHcrK1g5NTRqWUE9PSJ9 +-----END ENCRYPTED SIGSTORE PRIVATE KEY----- diff --git a/container-images/keys/sign/cosign.pub b/container-images/keys/sign/cosign.pub new file mode 100644 index 0000000..97c389d --- /dev/null +++ b/container-images/keys/sign/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWT07eR1HNK3D2iqHotE0c389aSTh +Lj0B39PXTBcJzJpkXPO82lLGQdc47V5HPWaPZ2Fc3DWyRoz1oWbnLlvQ5Q== +-----END PUBLIC KEY----- diff --git a/container-images/keys/sign/git-runner-password.txt b/container-images/keys/sign/git-runner-password.txt new file mode 100644 index 0000000..2912acc --- /dev/null +++ b/container-images/keys/sign/git-runner-password.txt @@ -0,0 +1 @@ +just1testing2password3 diff --git a/container-images/keys/sign/github-runner.keys b/container-images/keys/sign/github-runner.keys new file mode 100644 index 0000000000000000000000000000000000000000..cadfcb7a2b9a013aa5efec8f6cd2635825acc65e GIT binary patch literal 3772 zcmV;t4ny&k1%?D>|Dr_!3;^J&F$mzBwdrd!hFM7x&)z|-E~jNOli>rr?Js*;GCV!W zR;(8wf%jChV{}oxIHNhMz2~rZz1^EKI!p)|Z9oA>tJOS>Ld9HM&TI7^6i=Th^TXb{ z+||9K+=fK&H|MFZ)TP0#XqN9t1Cn-o8(cTw`rK(7cWm9~ZNAGDEo3(5e56S;^M)jH zm`Pc5^+#Kqer~l)26A>s*lk$-kq)0P=OeH?1I7oXAKXMhEqz`UwWsD@=33HDHx}0T z+}s0#IkE*k&o#zCXk>;9{+jhA2~&=l130-0TlE)Zb+C_YTnmp@#9>h}*50L>Z=2}T z)FsQPQ`Y2I|LZ34#P@Q&U4WAjIUy_h+$J1?1#2f$Tw~4F+XhuE?M(6PO%vx!E1Uu@Nq@SkOPM-PGq z&n_5tnl+*div&~MAT*p)@B?m7z+Pzu7{3&`-VOV*D+kA2hYbJ`0RRF12Ll2Y1zmRo zUKarS$ELTyG9ZN9|Kl^)wXw7^1vjx{9FK8nqDqFfd1aF```$=H?&v_I9*f}0Q&>w{ z0&j&keAr;+p=EXKh%Nq`45QAXM8ky`_uL@qN!$k9VB1h@w9@YCV`dTs(S|cx%xl2j zwULL;?r_JJRa9f7vW=)an=@h|2p^$WdF+fwhg&pWez}Z1OSC2QZx+~HP(Hoby|ofc&wzYuPuMd>$2k^O)It=_}DlAV-)oP=CBL6lh2nFohV|*JuKEn5gz`d*Bu|^7$Rv(Frptp zHUt0V#V?O~9Q%(=OrU)hN^b`K?8x85vD5Wx(iF8YxQS}QCb)es64&<#3cZ($b)8K9 zxBffdL>%n@zU))Im}uL%tMhCP^5(;TqLyGUdbD?1NoI!-9N0d6)PavjwTuC%x05+4 z%yj8(vldv!Qz7`I&m9!n@2hx3RN1)T(8Tmov?z+Im5V9WGqgi)yQ7~+z#JFm?Lq$! z2!H>-{2s;m8XEq(%@8HgQW0_F6{c3mK{HPrd6LR)Z-G%5c*9G~88q)bkyUi>n5yld zOeI9N^e|i2&8@^Z3iv_chop)Lp@M_G#E14(G1=NtaiY8=4n?oet!0c2&V_XjlDG9`7LVXeqL?oM(Z$1nwV&YT2| zR2bVLqMjLO_7<*t0|}tY{RXZF>x>eepGqh8iq*?69QuO1-ht_kWazZG9~i?0+%Erz zPD45182-!A>42fXrwV)pw707XLBz3NjDsJ;m0Zay#L3ywx3iQHmGjT)i4JUUnyY-w zZ{M4{CI!nl0or!kbZB*AAX0U1Ze?;HJZEWiKyr0%Ze?;VV{dIf zi2=?869EbUI2IuU_C2zpt9*YMUule<*;p*C_xsFU1p;ROqD2B50|g5S2nPZN6$%Lm z3jzcd0s{d89svRufB*^!5ZPEPt@r!PU1S~$|60aGVY-#B(nY9Y=rWbC8R7&K;bnw-N(rl zmvsPK{fm@d^7k?c63CgBTi(D&EkeCC{};OFtN=$`_IV?m!Pm~(!$zuPAf+Y|<4my! zZY3pB4YL@j)zzu%58bAdH9OXPpIx z1ZMxDMF9)|p3_E4Tu>7m_Zgdy-*hXGw1VqoTw=Y0Q=#YHO?zbx4Ift73^#m_=O~9L zj{UeB8 z#qm4I6p#PhmtANF`A+lK{IU@ZbMj_mhKp%5J{YLY7$h>4Ev>$UG0FVVYH{P*(xgN7 zqffc&Xx9yuRFC|?1M=7LV9e(S(kD1De%4-BvfuY&c2$ZtT0Y1ol+eas*8PlCgZn)Z z1S^JwkRjxQXjF@LT-@VHsT@C{8Gn5pBRN*s48LrMWB8Nu9NP_SLLtHxdUw1-umPw? zxeih!rsT~JAjLctH6TbsLYQOne>v1rU+W!IQr?a} zm${@Clt8^MC5JlR6UP_$5n*6s$Rxey7cheUQr~kQZEpn}chnC%K@|6r9Pk^m!U^Ux z@}yEh4HvZui7-n?sU27oYf(7z9X_p*WZ_kb01*KI0saRA0$LjrY@7rSsrwO4u;+7u z6+=*drEFl`BgkRG(Mo>kUd8c=SU^ja9lT|N?`oEUV#V>4&6 zqdn=Lv@%bX<1~Gll`N4QS~tm57lPy-LTXxtH@=+`$#TSgA-QULTg#=I;&LmSbmPZZ zk}hCAN*~G?wf+#joSbjzvm@Zp%oXH3#q#~4xxaYiiVr-S5GJ8gr||HqNx_xCiYNSHJ6#7e3Ma-z;bZ235OxGI#k*<%ln`+Mi1nq zgM^*b{Ya+8qa2v6pwChn4o|y{bpXH|b>)F@p$o(C=HWwlbv&JF^U+;(kEW>x&s~bT z#S^QOdhU-dC@s!zeDjLL_*>$68uFSX6L5HoNetFc2CH13qmjPI?qG$JP^!iwrLEQ1fb&FpCI9*sZHPWtwSqQDI zhUV`+et*$eD)`9t+HF=%PQ&3WU&hS68yv_~G@Gyvna#@%2FA^KIG26Zo60=UMmKR9 zJ=O5BR^AH70Z)OIarcu-?8DChM?rjJTVe1*LahtPqCwHU$e3k$?}3P zrPKB-->ctkOj@X{t53G$pP&t)BTm8UEiUbe6m*Y!2cG&}zh55|Fv@8G4)VQt4t1F6 zXS2Hzb!vUaWjA1tRVev;zYj;*7R2KiB>E1rRIVv1rf8aW3qjdliH^BibT9;%ZY2Fv z2(h7Y%`MpAqAQ};%$MZnb00@WBsYr+;G=`L)RtQdoe4=^WopxZ$#)HPlCbynt4|dR z;+-2@T~@VwEOS~>zCIdSIi^yi^mex@o8^M(0lE#`h6U{Nl0v%|M7duh{v*+Ju?*AP z2#dz+g-7Pr$MlH-wgeaf3IHG$Aq4h4vZ1Sde;HqCjGoz8EUowZ%v}WnX8)o^0vikf z3JDO|SS+pg`^;Tt@C*Qv^dsIg&JlWV9bC??wc7Hi`@pcat0rOF4s?y6>^T&ViPz_9 zQy;;bB5W}ix3VEm)N;DTe^Aue`x#Asc0clw`Dod%kFxg{^yu`#@T>Mb z*Akk!v|TfY6RcsO0nHqO?Xr@h^c%_pDPH=?+ixRgClwjU?8a&*ja_57^2aWH mPiUQPK%*zvlKnLAim@7yZ<|6mG*)oEX>ygR+;SeQHbs(GDM6wD literal 0 HcmV?d00001 diff --git a/container-images/keys/ssh/ccv0-ssh b/container-images/keys/ssh/ccv0-ssh new file mode 100644 index 0000000..0657b74 --- /dev/null +++ b/container-images/keys/ssh/ccv0-ssh @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACAfiGV2X4o+6AgjVBaY/ZR2UvZp84dVYF5bpNZGMLylQwAAAIhawtHJWsLR +yQAAAAtzc2gtZWQyNTUxOQAAACAfiGV2X4o+6AgjVBaY/ZR2UvZp84dVYF5bpNZGMLylQw +AAAEAwWYIBvBxQZgk0irFku3Lj1Xbfb8dHtVM/kkz/Uz/l2h+IZXZfij7oCCNUFpj9lHZS +9mnzh1VgXluk1kYwvKVDAAAAAAECAwQF +-----END OPENSSH PRIVATE KEY----- diff --git a/container-images/keys/ssh/ccv0-ssh.pub b/container-images/keys/ssh/ccv0-ssh.pub new file mode 100644 index 0000000..d412d78 --- /dev/null +++ b/container-images/keys/ssh/ccv0-ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+IZXZfij7oCCNUFpj9lHZS9mnzh1VgXluk1kYwvKVD diff --git a/container-images/keys/ssh/ssh_host_ed25519_key b/container-images/keys/ssh/ssh_host_ed25519_key new file mode 100644 index 0000000..59240d5 --- /dev/null +++ b/container-images/keys/ssh/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBZCWq2MBTX8Bkvdtf9htpfqTTosRzYtTQgbeHADF1k3wAAAJiKehLQinoS +0AAAAAtzc2gtZWQyNTUxOQAAACBZCWq2MBTX8Bkvdtf9htpfqTTosRzYtTQgbeHADF1k3w +AAAEAlKROeyUCGfooVH87ObAnd4FAgvSnCgiIY2R6G+PpRTVkJarYwFNfwGS921/2G2l+p +NOixHNi1NCBt4cAMXWTfAAAAFHJvb3RAYnVpbGRraXRzYW5kYm94AQ== +-----END OPENSSH PRIVATE KEY----- diff --git a/container-images/keys/ssh/ssh_host_ed25519_key.pub b/container-images/keys/ssh/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..9b9fd21 --- /dev/null +++ b/container-images/keys/ssh/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFkJarYwFNfwGS921/2G2l+pNOixHNi1NCBt4cAMXWTf root@buildkitsandbox diff --git a/container-images/scripts/make-cosign-sig.exp b/container-images/scripts/make-cosign-sig.exp new file mode 100755 index 0000000..01e488f --- /dev/null +++ b/container-images/scripts/make-cosign-sig.exp @@ -0,0 +1,16 @@ +#!/usr/bin/expect + +set COCO_PKG [lindex $argv 0] +set IMG_TAG [lindex $argv 1] + +# XXX ONLY use for testing. Private key (cosign.key) is obviously exposed. +# And the password for this key is: just1testing2password3 +spawn cosign sign --key keys/sign/cosign.key ghcr.io/$COCO_PKG:$IMG_TAG + +#By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. +expect "Are you sure you would like to continue?" + +# yes +send -- "y\n" + +expect eof