Skip to content

docker: sign container images pushed to GHCR with GitHub OIDC tokens#4999

Merged
MichaelEischer merged 4 commits intorestic:masterfrom
konidev20:fix-gh-4983-slsa-provenance-for-ghcr-container-images
Jan 12, 2025
Merged

docker: sign container images pushed to GHCR with GitHub OIDC tokens#4999
MichaelEischer merged 4 commits intorestic:masterfrom
konidev20:fix-gh-4983-slsa-provenance-for-ghcr-container-images

Conversation

@konidev20
Copy link
Copy Markdown
Contributor

@konidev20 konidev20 commented Aug 11, 2024
edited
Loading

What does this PR change? What problem does it solve?

  • This allows users to verify the authenticity and integrity of Restic Docker images before using them.
  • This provides users with a verifiable record of how, when and where an artifact was built.

Refer:

  1. https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
  2. https://github.com/sigstore/cosign-installer
  3. Generation of SLSA3+ provenance for container images

[Edit]
Changes made to the GitHub Workflow:

  • installing cosign v2.4.0
  • add new step to sign all the images generated during the build and push step
  • the id-token of the GitHub Actions workflow will be used for image signing
  • replace branch-based tagging with SHA-based tagging since, branch names are mutable, SLSA provenance requires immutable tagging
  • use official SLSA framework Github Reusable workflow
    [\Edit]

Was the change previously discussed in an issue or on the forum?

Closes #4983

Checklist

  • I have read the contribution guidelines.
  • I have enabled maintainer edits.
  • I have added tests for all code changes.
  • I have added documentation for relevant changes (in the manual).
  • There's a new file in changelog/unreleased/ that describes the changes for our users (see template).
  • I have run gofmt on the code in all commits.
  • All commit messages are formatted in the same style as the other commits in the repo.
  • I'm done! This pull request is ready for review.

@konidev20 konidev20 marked this pull request as draft August 11, 2024 19:55
MichaelEischer
MichaelEischer reviewed Sep 14, 2024
View reviewed changes
MichaelEischer
MichaelEischer reviewed Sep 14, 2024
View reviewed changes
@konidev20 konidev20 force-pushed the fix-gh-4983-slsa-provenance-for-ghcr-container-images branch from 2fab85a to da729bd Compare September 15, 2024 17:14
@konidev20 konidev20 marked this pull request as ready for review September 15, 2024 18:32
@konidev20 konidev20 marked this pull request as draft September 15, 2024 19:05
@konidev20
Copy link
Copy Markdown
Contributor Author

konidev20 commented Sep 15, 2024

@MichaelEischer need some more time to test. facing some issue during the slsa verification.

@konidev20 konidev20 marked this pull request as ready for review September 22, 2024 17:45
@konidev20
Copy link
Copy Markdown
Contributor Author

konidev20 commented Sep 22, 2024

@MichaelEischer the changes w.r.t the SLSA provenance is complete. I will update the documentation shortly.

@konidev20 konidev20 force-pushed the fix-gh-4983-slsa-provenance-for-ghcr-container-images branch from 376fe34 to 877a10e Compare September 29, 2024 10:32
MichaelEischer
MichaelEischer reviewed Dec 1, 2024
View reviewed changes
konidev20 and others added 3 commits December 2, 2024 00:14
@konidev20
docker: add SLSA provenance to .github workflow
144221b 
* the id-token of the GitHub Actions workflow will be used for image signing
* replace branch-based tagging with SHA-based tagging since, branch names are mutable, SLSA provenance requires immutable tagging
* use official SLSA framework Github Reusable workflow

docker: fix incorrect registry name in image output step

* use REGISTRY environment variable instead of IMAGE_REGISTRY

docker: revert change to remove branch tag
@konidev20
docs: add instructions for verifying SLSA provenance of Docker images
d422e75 
docs: update the documentation
@konidev20
docker: fix typos and permissions for jobs
4fb9aa4
@konidev20 konidev20 force-pushed the fix-gh-4983-slsa-provenance-for-ghcr-container-images branch from 877a10e to 4fb9aa4 Compare December 1, 2024 18:48
@konidev20
Copy link
Copy Markdown
Contributor Author

konidev20 commented Dec 1, 2024

@MichaelEischer I guess you can do a final review and merge this.

As for

I am not sure how the build-and-push steps work to upload to Dockerhub. Let me see if I can make this a generic solution which would work for any repository, not limited to Dockerhub and GHCR.

I will pick it up in a separate issue.

MichaelEischer
MichaelEischer approved these changes Jan 12, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@MichaelEischer MichaelEischer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

I am not sure how the build-and-push steps work to upload to Dockerhub. Let me see if I can make this a generic solution which would work for any repository, not limited to Dockerhub and GHCR.

Currently the Dockerhub images are built locally, see https://github.com/restic/restic/blob/master/helpers/prepare-release/main.go for the corresponding script.

To get SLSA provenance for the DockerHub images, we have to allow the CI pipeline to push images to DockerHub. Then either the signature for the GHCR image can be reused, or the pipeline just duplicates the provenance generation step.

@MichaelEischer MichaelEischer merged commit 27189e0 into restic:master Jan 12, 2025
@BrewTestBot BrewTestBot mentioned this pull request Mar 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MichaelEischer MichaelEischer MichaelEischer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SLSA provenance for GHCR docker containers

2 participants

@konidev20 @MichaelEischer