Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign container images #5185

Closed
1 task done
notdurson opened this issue Dec 20, 2024 · 1 comment · Fixed by #5207
Closed
1 task done

Sign container images #5185

notdurson opened this issue Dec 20, 2024 · 1 comment · Fixed by #5207
Labels
feature New functionality/enhancement security

Comments

@notdurson
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Describe the user story
Following on from PR #5158 , I'd like to continue the security hardening story by signing container images, as well as attesting to their provenance. The solution implemented in 5158 attests to builds - that is, it verifies that an image was built by the entity claiming to have built it - but it doesn't actually sign the container images in a given build.

Describe the solution you'd like

The next logical step is signing images. This requires creation and persistence of a signing key in the Atlantis repo, which will then be used to request signing certificates from Sigstore. These will subsequently sign container images built during Atlantis releases. Downstream users can then use cosign to verify Atlantis images before use.

Describe the drawbacks of your solution

This solution introduces additional complexity into the already-complex Atlantis build process. In order to sign container images, a signing key must be generated and stored as a GH Actions Secret. By definition, the key must remain private; project contributors must not have access to it. Granting contributors access to the key compromises its confidentiality. Thus, the Atlantis maintainers must be involved in any PRs opened to complete this feature.

Since Atlantis builds six different images, six signatures will be generated and published for each build.

Describe alternatives you've considered

As in issue #5157, I explored forking Atlantis and signing images published by the fork. We found that this would lead to extra engineering burden on small teams. We believe it best for the canonical upstream repo to sign its images, so that any downstream forks can remain assured of the integrity of the images they use.

@notdurson notdurson added the feature New functionality/enhancement label Dec 20, 2024
@dosubot dosubot bot added the security label Dec 20, 2024
@notdurson
Copy link
Contributor Author

We don't need a signing key if we use Cosign's keyless mode - this uses GitHub's OIDC flow to authenticate to Sigstore's CA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New functionality/enhancement security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant