Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bundle signing #843

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

chore: bundle signing #843

wants to merge 4 commits into from

Conversation

decleaver
Copy link
Collaborator

Description

Fixes functionality for signing bundles, and verifying, inspecting and deploying signed bundles

Related Issue

Fixes #831

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@decleaver decleaver changed the title 831 bundle signing chore: bundle signing Jul 23, 2024
@decleaver decleaver marked this pull request as ready for review July 24, 2024 02:14
@UncleGedd
Copy link
Collaborator

Lingering questions because I know nothing about cosign 😅

  • does this work in the airgap?
  • need to provide on docs on usage and maybe a blurb on "why"
  • Is the signing artifact that gets put in the bundle a secret?

UncleGedd
UncleGedd reviewed Aug 16, 2024
View reviewed changes
src/cmd/viper.go
@@ -38,6 +38,9 @@ const (
// Bundle pull config keys
V_BNDL_PULL_OUTPUT = "bundle.pull.output"
V_BNDL_PULL_KEY = "bundle.pull.key"

// Bundle deploy config keys
V_BNDL_DEPLOY_KEY = "bundle.deploy.key"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think of bundle.deployKey? Just thinking of ways to reduce YAML layers

@decleaver
Copy link
Collaborator Author

@UncleGedd so what is currently in the PR covers the actual signing of the bundle.yaml similar to what zarf is doing. The difference is that zarf keeps an aggregatechecksum of everything in the zarf.yaml metadata, which we currently don't. We will need to add this to make the signing worth while.

That being said, zarf is looking into updating the way that they do signing based on:
zarf-dev/zarf#2805

https://github.com/sigstore/cosign?tab=readme-ov-file#verify-a-container-in-an-air-gapped-environment

So not sure where this falls in terms of priority

@decleaver decleaver marked this pull request as draft August 30, 2024 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@UncleGedd UncleGedd UncleGedd left review comments

@jeff-mccoy jeff-mccoy Awaiting requested review from jeff-mccoy

@mjnagel mjnagel Awaiting requested review from mjnagel

@TristanHoladay TristanHoladay Awaiting requested review from TristanHoladay

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bundle Signing
2 participants
@decleaver @UncleGedd