Switch Signify service to use mTLS

cmd/image-builder/README.md

@@ -148,6 +148,27 @@ Image signing allows verification that the image comes from a trusted repository
 > [!NOTE]
 > Image Builder signs images built on the push and workflow_dispatch events only. Images built on the pull_request_target event are not signed.
 
+## Image Signing with Signify
+
+Image Builder signs images using the Signify service, ensuring that images come from trusted repositories and have not been tampered with.
+
+### Updated Signing Process
+
+The authentication to the Signify API has been updated from using `role id/secret id` to mTLS. This change introduces the following updates:
+
+- **mTLS Authentication**: Image Builder now uses a client certificate/private key pair for authentication with the Signify API. These credentials are valid for 7 days, after which they must be rotated.
+- **Automated Rotation**: The certificate rotation must occur every 7 days. The new certificate/private key pair must be generated using the previous pair before they expire.
+
+The Signify API's structure has also been updated. For more information, see the official [Signify API Documentation](https://pages.github.tools.sap/Repository-Services/Signify/how_to/manage_signatures/).
+
+> [!NOTE]
+> Images are only signed when built on `push` and `workflow_dispatch` events. Pull request images are not signed.
+
+### Signify API Changes
+
+The JSON structure for signing has changed. See the new structure and examples in the [Signify API Documentation](https://pages.github.tools.sap/Repository-Services/Signify/how_to/manage_signatures/).
+
+
 ## Named Tags
 
 Image Builder supports passing the name along with the tag, using both the `-tag` option and the config for the tag template.

cmd/image-builder/main_test.go

@@ -442,6 +442,8 @@ func Test_getSignersForOrgRepo(t *testing.T) {
 	for _, c := range tc {
 		t.Run(c.name, func(t *testing.T) {
 			t.Setenv("JOB_TYPE", c.jobType)
+			mockFactory := &mockSignerFactory{}
+
 			o := &options{isCI: c.ci, Config: Config{SignConfig: SignConfig{
 				EnabledSigners: map[string][]string{
 					"*":              {"test-notary"},
@@ -453,21 +455,22 @@ func Test_getSignersForOrgRepo(t *testing.T) {
 					{
 						Name:   "test-notary",
 						Type:   sign.TypeNotaryBackend,
-						Config: sign.NotaryConfig{},
+						Config: mockFactory,
 					},
 					{
 						Name:   "test-notary2",
 						Type:   sign.TypeNotaryBackend,
-						Config: sign.NotaryConfig{},
+						Config: mockFactory,
 					},
 					{
 						Name:    "ci-notary",
 						Type:    sign.TypeNotaryBackend,
-						Config:  sign.NotaryConfig{},
+						Config:  mockFactory,
 						JobType: []string{"postsubmit"},
 					},
 				},
 			}}}
+
 			got, err := getSignersForOrgRepo(o, c.orgRepo)
 			if err != nil && !c.expectErr {
 				t.Errorf("got error but didn't want to %v", err)
@@ -789,12 +792,16 @@ Build config file content:
 	}
 }
 
-type mockSigner struct {
-	signFunc func([]string) error
+type mockSignerFactory struct{}
+
+func (m *mockSignerFactory) NewSigner() (sign.Signer, error) {
+	return &mockSigner{}, nil
 }
 
-func (m *mockSigner) Sign(images []string) error {
-	return m.signFunc(images)
+type mockSigner struct{}
+
+func (m *mockSigner) Sign([]string) error {
+	return nil
 }
 
 func Test_getDockerfileDirPath(t *testing.T) {

configs/kaniko-build-config.yaml

@@ -28,7 +28,7 @@ sign-config:
         - postsubmit
         - workflow_dispatch
       config:
-        endpoint: https://signing.repositories.cloud.sap/signingsvc/sign
+        endpoint: https://signing-manage.repositories.cloud.sap/trusted-collections/publish
         timeout: 5m
         retry-timeout: 10s
         secret: