Skip to content

Commit

Permalink
Add RFC for cosign integration
Browse files Browse the repository at this point in the history
Signed-off-by: Sambhav Kothari <[email protected]>
  • Loading branch information
sambhav committed Dec 3, 2021
1 parent 025a98b commit ac39524
Showing 1 changed file with 109 additions and 0 deletions.
109 changes: 109 additions & 0 deletions text/0000-cosign.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
# Meta
[meta]: #meta
- Name: Cosign support
- Start Date: 2021-12-03
- Author(s): [@samj1912](https://github.com/samj1912)
- RFC Pull Request: (leave blank)
- CNB Pull Request: (leave blank)
- CNB Issue: (leave blank)
- Supersedes: (put "N/A" unless this replaces an existing RFC, then link to that RFC)

# Summary
[summary]: #summary

Adds image signing support to Buildpacks natively using cosign.

# Definitions
[definitions]: #definitions

- cosign: A sigstore project to sign container images - https://github.com/sigstore/cosign
- SBOM: Software Bill-of-Materials


# Motivation
[motivation]: #motivation

Supply chain security has been on top of everyone's minds in 2021. It is important to ensure the integrity and origin of software artifacts in order to have a secure supply chain. Sigstore's cosign has quikcly risen to become the defacto container signing solution. This RFC proposes that we natively add cosign support to the lifecycle to facilitate easy signed container artifacts as part of the build process.

# What it is
[what-it-is]: #what-it-is

As a part of the exporting process, the `analyzer` and `exporter` will now take an addition flag `-cosign-config <cosign.toml>` which will contain the cosign configuration.

The schema for `cosign.toml` will look like the following -

```toml
# A static list of annotations to add to each signature config
[[annotations]]
name = "<name>"
value = "<value>"

[[annotations]]
name = "<name2>"
value = "<value2>"

# multiple cosign configs can be specified
[[configs]]
# path to private key
key = "<path-to-key>"
# Exclusive OR with `key`
# private key inline as a b64 encoded string
key-data = "<base64-encoded-private-key>"
# optional value for COSIGN_REPOSITORY, optional, default:""
repository = "<cosign-repository>"
# value for COSIGN_DOCKER_MEDIA_TYPES, optional, default:false
docker-media-types = true
# optional path to password file. Contents will be used as COSIGN_PASSWORD
password = "<path-to-password-file>"
# Exclusive OR with `password`
# optional base64 encoded value for COSIGN_PASSWORD
password-data = "<base64-encoded-password>"
# optional flag to export sbom if present, default:true
export-sbom = true
# optional flag to sign sbom if exported, default: true
sign-sbom = true
```

The `analyzer` will be responsible for verifying registry access to push the required signatures. The exporter will be responsible for generating and pushing the signatures defined by each of the configs above for each tag specified to the `exporter`. As a part of this process, the lifecycle will also strip out any environment variables that start with `COSIGN_` before analyzing or exporting cosign specific tasks.

During the export phase, the lifecycle will add all the provided annotations to each exported signature. It will also add the corresponding image tag and build time of the image as tags to the signature.
The lifecycle will also export and sign related SBOM artifacts from the build. The format for attaching SBOM to the image will follow the specification described at https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md.

The above will only be supported if `lifecycle` is run in `registry` mode. If we wish to support it in local mode, we may add support for this in case we drop daemon mode and introdue an OCI layout mode.

# How it Works
[how-it-works]: #how-it-works

The exporter can use `cosign` as a library to generate, attach and publish signatures for the output image. `cosign` exposes a GGCR compatible interface which should fit nicely with the lifecycle.


# Drawbacks
[drawbacks]: #drawbacks

Increased complexity in lifecycle

# Alternatives
[alternatives]: #alternatives

Add cosign support to pack.


# Prior Art
[prior-art]: #prior-art

- https://github.com/buildpacks/pack/issues/268
- https://github.com/buildpacks/pack/issues/934
- https://github.com/pivotal/kpack/blob/main/rfcs/0007-cosign-integration.md


# Unresolved Questions
[unresolved-questions]: #unresolved-questions


How to deal with daemon case? I am of the opinion that we should deprecate daemon flag in lifecycle and instead switch to OCI but that can come later.

# Spec. Changes (OPTIONAL)
[spec-changes]: #spec-changes


Noted above.

0 comments on commit ac39524

Please sign in to comment.