Signing built images

[imjasonh]

Users can sign images produced with ko publish using tools like cosign.

For example:

$ cosign sign -key cosign.key $(ko publish ./)

ko resolve produces potentially many images, which makes this a bit harder. You could ko resolve then scan the resulting YAML for ko-built image references and sign all of those with some bash magic, but 🤮 .

Would it be useful to have a ko resolve --sign cosign.key flag that used the provided key to sign all images built during ko resolve?

ko publish --sign cosign.key could also be a convenience alias for, effectively, cosign sign $(ko publish), which wouldn't require users to have cosign installed.

@dlorenc good idea? bad idea?

[dlorenc]

@dlorenc good idea? bad idea?

Great idea!

[jonjohnsonjr]

This is where I really want a sidechannel for build outputs (my stupid "layoutput" thing).

[mattmoor]

+1 to native integration here.

Generally my preference would be to bias towards the ephemeral key route and use the same ephemeral key to sign all of the images produced (we should probably also start to think about incorporating a variety of opinionated attributes based on things we know about the build).

re: many images

something like mink produced ~25 images at its peak, for ~5 architectures, so 1 key vs ~150 keys (25*5 + 25) is probably a better way to go 🤣

[mattmoor]

This PR includes a technique I have been using to incorporate keyless signing into some ko-like tools: sigstore/cosign#647

Basically it only kicks in when COSIGN_EXPERIMENTAL=true for now, which is similar to how we've gated certain features with GGCR_EXPERIMENTAL_*, and this feels like an extremely lightweight way to integrate things.

We sacrifice some amount of configurability, but my inclination here would be to probably adjust how cosign itself works to use envconfig as a way to support a standard scheme for env-var fallback for configuration (no cobra, so no viper).

[imjasonh]

+1 to KO_EXPERIMENTAL_SOMETHING to iterate on this. How do we imagine this looking when it graduates from an experiment? We don't have a good example of doing that in GGCR as far as I know.

Ideally we'd end in a state where things are signed by default using ambient tokens if available, which can be disabled with a flag or config. Do we want to support signing with explicit keys? Or just leave that for cosign?

[mattmoor]

I think the first order of business will be to get the distroless images signed against Fulcio.

For configuring things, I think trying to standardize on env vars in cosign upstream would be my preference (for portability across tools).

For opting out (beyond experiment), I think some .ko.yaml syntax is called for, we can introduce this to ease folks into it too.

Another step between “experiment guarded” and “opt-out” to encourage folks to start signing will be to always verify, but make verification non-fatal (print warnings).

I also think we probably want some sort of refresh token flow for users before we move beyond experimental.

sorry this ended up sort of stream of consciousness.

[mattmoor]

Ok, full keyboard so here's sort of what I'm thinking in terms of phasing this in.

1. No change unless TBD *EXPERIMENT* env var is set, at which point base images must be signed, and published images are signed.

(once the default base images are signed against Fulcio)

2. Start verifying base images all the time, but verification is only fatal when TBD *EXPERIMENT* flag is set. When it isn't set we emit a warning. We still only sign things when it is set. We will need to sort out a way to opt-out of verification for each base image (likely in .ko.yaml?).

(once keyless signing is no longer "experimental" in Sigstore)

3. Start signing output images whenever ambient OIDC auth is available. Provide a way to require this (e.g. release envs), or opt-out entirely (e.g. dev environments avoiding 3LOs).

(once we have a clear opt-out path for base images)

4. Start to make verification of base images fatal by default.

---

As with --platform=all, we should never require signing by default (e.g. this would slow dev loops with 3LOs, and break using ko in PRs which won't have OIDC).

If we find out that being more aggressive signing things in dev is important (e.g. back-pressure from cosigned rejecting things), then we can always revisit this, but hopefully by then we have some sort of OIDC refresh token flow.

[mattmoor]

Starting to poke through code, I think the most natural integration point for signing is likely to implement a new publisher.Interface that composes with another publisher similar to the caching version:

	// Wrap publisher in a memoizing publisher implementation.
	return publish.NewCaching(innerPublisher)
}

If we have a signing publisher, we can accumulate / pass through images to an inner publisher, and then sign all of the accumulated images in Close() before closing the inner publisher. I think this would mean we use a single key to sign the entire set of images we publish 🤞

---

As I'm writing this I realize that cosign likely doesn't have functions that take a v1.Image (really build.Result) and return the v1.Image containing the signature, so we can't leverage the inner publisher to write the signature, which means the only publisher this should compose with right now is the default publisher. It would be cool to write such a function in cosign because it would allow us to emit signed images in tarballs and OCI layouts as well.

[mattmoor]

So it looks like currently:

return cli.Sign().Exec(context.Background(), n.digests.List())

... generates a new cert for every image, and send the user through a separate 3LO for each one, so on big projects (e.g. knative.dev/serving) this is sort of prohibitive.

cc @dlorenc