Start to sign image releases with cosign

[mattmoor]

Is your feature request related to a problem? Please describe.

I'd like to be able to verify that the images we are consuming from otel/opentelemetry-collector-contrib on DockerHub were produced by this repo's release automation.

Describe the solution you'd like

I'd like to see the workflow used to publish your images use sigstore/cosign keyless signing to sign the published images, e.g. like the actions sample here.

There are three main pieces to this:

1. You need id-token: write permissions to generate an identity token for the workflow:

      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write

2. You need to install cosign

      - name: Install cosign
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: 'v1.12.1'

3. Sign the resulting image:

      - name: Sign the published Docker image
        env:
          COSIGN_EXPERIMENTAL: "true"
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: cosign sign THE_IMAGE_DIGEST

This can then be used with assorted policy controllers to verify that the images published to DockerHub were produced by .github/workflows/build-and-test.yml even if the static DockerHub credentials have been compromised.

Describe alternatives you've considered

You could also use sigstore/cosign to sign the images using a static key pair. However, this requires managing another secret (the signing key), and publishing your own verification key. Some projects (e.g. Google distroless) are signing things both ways, at least for now.

Additional context

No response

[mattmoor]

If y'all are receptive to this, I'd be happy to send a PR with the above changes to the actions workflow, just let me know.

[bogdandrutu]

The published image are in a different repository. Moving this issue there.

[cpanato]

I can help in the implementation

[jpkrohling]

That would be great, I had this on my radar anyway. We use goreleaser in this project, I believe there's an integration with cosign already.

[jpkrohling]

I'm assigning this to @mattmoor. If you need help, ping @cpanato :-)

[cpanato]

Yep, the implementation should be more straightforward :)

[mattmoor]

@cpanato has forgotten more about goreleaser than I will ever know. Carlos, if you want to take this on that'd be fantastic 🙏

[cpanato]

PR: #207

also did others to updates some other things:

• bump alpine base image to 3.16 #205
  for this one, if you are interested to use a distroless base image we can switch that

• make sure that it uses the latest patch release available #206

[jpkrohling]

I commented in the relevant PR already, but our final images are scratch images already. The alpine base is being used only for build stages.

[pellared]

I know that this issue is only about signing images. However, it would be good also to sign executables (especially for Windows and macOS). It looks like sigstore does not handle it. See: sigstore/cosign#2170 and sigstore/fulcio#250.