Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GitHub attestation to official Fleet and fleetd release binaries and images #23825

Open
11 of 17 tasks
noahtalerman opened this issue Nov 14, 2024 · 10 comments
Open
11 of 17 tasks

Add GitHub attestation to official Fleet and fleetd release binaries and images #23825

noahtalerman opened this issue Nov 14, 2024 · 10 comments
Assignees
@sgress454 @lukeheath
Labels
~customer promise A feature request from a Fleet customer that Fleet has contractually agreed to deliver customer-figali ~engineering-initiated Engineering-initiated story, such as a bug, refactor, or contributor experience improvement. #g-orchestration Orchestration product group story A user story defining an entire feature

Comments

@noahtalerman
Copy link
Member

noahtalerman commented Nov 14, 2024
edited by lukeheath
Loading

Goal

User story
As a Security Engineer using Fleet,
I want to prove that the binaries and images I am using to deploy Fleet have not been tampered with
so that I am confident the build artifacts I use are the same artifacts created by the associated GitHub workflow.

Key results

  • Deliver customer promises and prioritized requests

Original requests

Context

Changes

Codename

Chain of Integrity and Provenance for Software (CHiPS)

Product

  • UI changes: No changes
  • CLI (fleetctl) usage changes: No changes
  • YAML changes: No changes
  • REST API changes: No changes
  • Fleet's agent (fleetd) changes: No changes
  • Activity changes: No changes
  • Permissions changes: No changes
  • Changes to paid features or tiers: No changes
  • Other reference documentation changes: No changes.
  • Once shipped, requester has been notified
  • Once shipped, dogfooding issue has been filed

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: No
  • Risk level: Low

Manual testing steps

  1. Use the gh attestation command to validate that every binary and image generated in the specified workflows successfully provides attestation.

Testing notes

Confirmation

  1. Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. QA (@____): Added comment to user story confirming successful completion of QA.
@noahtalerman noahtalerman added story A user story defining an entire feature :product Product Design department (shows up on 🦢 Drafting board) labels Nov 14, 2024
@noahtalerman noahtalerman mentioned this issue Nov 14, 2024
Open
@noahtalerman noahtalerman added ~customer promise A feature request from a Fleet customer that Fleet has contractually agreed to deliver #g-endpoint-ops Endpoint ops product group labels Nov 14, 2024
@noahtalerman noahtalerman self-assigned this Nov 15, 2024
@noahtalerman noahtalerman added Epic DO NOT USE. Auto-created by ZenHub, cannot be disabled. and removed Epic DO NOT USE. Auto-created by ZenHub, cannot be disabled. labels Nov 15, 2024
@noahtalerman
Copy link
Member Author

Hey @lukeheath I think we need your help w/ this user story. Do you think you can own Product Designer responsibilities for it?

That includes writing the user story, updating the "Product" section, and being the first point of contact for product questions during the engineering sprint.

Assuming yes, I assigned you. Please feel free to pass it back to me if you don't have the capacity.

@lukeheath
Copy link
Member

@noahtalerman No problem.

@noahtalerman
Copy link
Member Author

Hey @lukeheath just a reminder to write up the user story for this and get it ready for estimation next week. We want to bring this customer promise into the next engineering sprint (last in Q4).

Please let me know how I can be helpful moving this one along!

@noahtalerman
Copy link
Member Author

@lukeheath just giving you another ping! Please let me know how I can be helpful getting this story ready for estimation tomorrow.

@lukeheath
Copy link
Member

@noahtalerman Thanks! Getting on this now.

@lukeheath lukeheath changed the title Add GitHub attestation to the Fleet's agent (fleetd) Add GitHub attestation to Fleet's agent (fleetd) Dec 3, 2024
@lukeheath lukeheath changed the title Add GitHub attestation to Fleet's agent (fleetd) Add GitHub attestation to official Fleet and fleetd release binaries and images Dec 4, 2024
@lukeheath lukeheath added ~engineering-initiated Engineering-initiated story, such as a bug, refactor, or contributor experience improvement. and removed #g-endpoint-ops Endpoint ops product group labels Dec 4, 2024
@lukeheath
Copy link
Member

@noahtalerman I've finished designing this story. Would you please take a look and make sure it looks correct?

From watching the initial request conversation, it seems to me that the customer is asking that all official Fleet and fleetd release binaries and images have attestation. It's straight-forward to add attestation to the GitHub workflows, so I've expanded the scope of this issue to include three different workflows (our three GoReleaser workflows) that produce the Fleet server binaries, fleetctl binaries, and fleetd binaries. Please let mek now if you think that's incorrect.

I'm also removing the #g-endpoint-ops label because I think this is something that would be great for @sgress454 to take on next sprint. I will estimate with him this week and we'll plan to deliver this at the end of next sprint. I'll track this on the #help-engineering board.

@noahtalerman
Copy link
Member Author

@lukeheath looks good to me!

I'm also removing the #g-endpoint-ops label because I think this is something that would be great for @sgress454 to take on next sprint. I will estimate with him this week and we'll plan to deliver this at the end of next sprint. I'll track this on the #help-engineering board.

Sounds great 👍

@sgress454 sgress454 self-assigned this Dec 6, 2024
@sgress454 sgress454 mentioned this issue Dec 10, 2024
Merged
@lukeheath lukeheath removed the :product Product Design department (shows up on 🦢 Drafting board) label Dec 16, 2024
@lukeheath
Copy link
Member

@sgress454 Do we need to make any revisions to the implementation after trying to use it during the fleetd release?

@lukeheath lukeheath added the #g-orchestration Orchestration product group label Dec 16, 2024
@sgress454
Copy link
Contributor

@sgress454 Do we need to make any revisions to the implementation after trying to use it during the fleetd release?

Mostly ensuring proper permissions. I'm readying a follow-up PR to do that, add better error-safety, and add attestation to the desktop and osquery binaries as Lucas suggested.

@sgress454 sgress454 mentioned this issue Dec 17, 2024
Merged
sgress454 added a commit that referenced this issue Dec 17, 2024
@sgress454
Update attestation implementation (#24837)
0e55419 
for #23825 

This PR fixes the previous implementation for attesting
fleet/fleetctl/orbit binaries, and adds attestation to the fleet desktop
and osqueryd artifacts.

* correct permissions are added to all jobs
* tag removed from `subject-name` when attesting docker image
* using `artifacts.json` rather than the `artifacts` step output from
goreleaser to determine image digest

I'd like to add a separate job verifying the attestations, working on
that now but since all attestation steps are marked as
`continue-on-error` it can be a follow-on if we don't get it in with
this PR.
@lukeheath
Copy link
Member

@noahtalerman @zayhanlon The first phase of attestation is complete: https://github.com/fleetdm/fleet/attestations/4319743

Beginning with 4.62.0, we are adding SLSA attestation to all archives and binaries attached to our releases.

Beginning with 4.63.0, we will be extending SLSA attestation to our container images. I will leave this issue open until then, but wanted to give a status update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sgress454 sgress454

@lukeheath lukeheath

Labels
~customer promise A feature request from a Fleet customer that Fleet has contractually agreed to deliver customer-figali ~engineering-initiated Engineering-initiated story, such as a bug, refactor, or contributor experience improvement. #g-orchestration Orchestration product group story A user story defining an entire feature
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sgress454 @lukeheath @noahtalerman