-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLSA attestations for the Build resource (aka app image attestations) #1449
Commits on Jan 12, 2024
-
generate project metadata for all source types
before we were only generating it for the git source type. this eventually gets turned into a label on the image as specified in https://github.com/buildpacks/spec/blob/main/platform.md#iobuildpacksprojectmetadata-json Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2e1d61f - Browse repository at this point
Copy the full SHA 2e1d61fView commit details -
add support for basic slsa statements
todo: - extract source from app image labels - record builder image Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 67adab8 - Browse repository at this point
Copy the full SHA 67adab8View commit details -
add ability to extract metadata from images
The source metadata is read in from the project-metadata label on the built image. This is done for 2 reasons: 1. It resolves floating pointers to concrete shas, this can be the case with a git source pointing to a branch, or a registry source pointing to a tag. We also can't figure out a blob's checksum without actually pulling it 2. It guarantees that this is the version pulled down by the `prepare` step and avoid weird TOCTOU edge cases where the underlying bits changed between the creation of the Build and the execution of the container By exporting the Project, Source, Metadata, and Version structs, I hope to create a code relation between the different packages, so that if we every change one in the future, the compiler will yell at us instead of us having to remember the relationship. Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 99861bd - Browse repository at this point
Copy the full SHA 99861bdView commit details -
supported key types are rsa, ecdsa, ed25519, and cosign (which is basically a wrapper around the other 3). there are some smoke tests with hard coded signatures, but i feel the main tests should be the interop with cosign cli Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 957f2f2 - Browse repository at this point
Copy the full SHA 957f2f2View commit details -
move slsa and cosign logic into secrets pkg
since we already have a package dedicated to grabbing secrets out of k8s, lets expand it further so that it knows how to extract signing keys out of it. Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6966b3f - Browse repository at this point
Copy the full SHA 6966b3fView commit details
Commits on Jan 17, 2024
-
refactor slsa signing and pushing
- split out signing and pushing into different functions mainly to make the error messages clearer - move attestation sign and write functions to obj so that we can mock out the attester interface later - also change the slsa buildid to include `slsa` as a subpath to make it clearer what its used for Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e5ad5c5 - Browse repository at this point
Copy the full SHA e5ad5c5View commit details -
add attestation to the build reconciler
- the controller is now aware of its own service account name, this is to fetch all the secrets associated with it (currently for attestation only, but can be expanded to cosign later) - the feature flag for enabling slsa is marked experimental since the RFC hasn't been merged in yet Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1d1f3ec - Browse repository at this point
Copy the full SHA 1d1f3ecView commit details -
refactor slsa.go and fix and bug fixes
rename slsa.go as the name wasn't really descriptive of what its doing bugs: - client-go strips the TypeMeta from the object so we have to pass it in manually. - granting rbac for the controller to get namespaces - and using version instead of identifier so we don't get the git sha when generating the build type link - ecdsa signing requires digest not full msg - stick to consistent tense for err msgs - and make the start/stop time parsing best effort - the slsa spec says its optional so we shouldn't fail the whole attestation if we can't find it Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 00bdd4d - Browse repository at this point
Copy the full SHA 00bdd4dView commit details -
add slsa tests and refactor how tests are run
since tests are run in parallel, cluster-scoped resources needed to be created with a different name for each of the suites Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d94c937 - Browse repository at this point
Copy the full SHA d94c937View commit details -
Configuration menu - View commit details
-
Copy full SHA for 18ef43d - Browse repository at this point
Copy the full SHA 18ef43dView commit details -
enable slsa attestations in gha e2e
Signed-off-by: Bohan Chen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2046f40 - Browse repository at this point
Copy the full SHA 2046f40View commit details