[docs] add documentation regarding verify images signatures #8990
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #8990 +/- ##
==========================================
+ Coverage 91.63% 92.47% +0.84%
==========================================
Files 356 387 +31
Lines 16849 18246 +1397
==========================================
+ Hits 15439 16873 +1434
+ Misses 1068 1027 -41
- Partials 342 346 +4 ☔ View full report in Codecov by Sentry. |
cpanato
force-pushed
the
doc-verify-images
branch
from
4d863cd
to
e85f89f
Compare
cpanato
changed the title
cpanato
force-pushed
the
doc-verify-images
branch
2 times, most recently
from
30e2eab
to
2d09309
Compare
README.md
Outdated
| Example: | ||
|
|
||
| ```console | ||
| $ cosign verify --certificate-identity=https://github.com/open-telemetry/opentelemetry-collector-releases/.github/workflows/release.yaml@refs/tags/v99.99.01 --certificate-oidc-issuer=https://token.actions.githubusercontent.com ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector:99.99.01 |
There was a problem hiding this comment.
Please add some explanation about what exactly is being verified here and how to spot the expected valid output.
There was a problem hiding this comment.
@cpanato, can you provide this?
|
|
||
| > **Note**: To verify a signed artifact or blob, first [install Cosign](https://docs.sigstore.dev/system_config/installation/), then follow the instructions below. | ||
|
|
||
| We are signing the images `otel/opentelemetry-collector` and `otel/opentelemetry-collector-contrib` using [sigstore cosign](https://github.com/sigstore/cosign) tool and to verify the signatures you can run the following command: |
There was a problem hiding this comment.
Sigstore docs say that when signing:
A verifiable OpenID Connect identity token, which contains a user’s email address or service account, is provided in the request.
What identity token do we provide for signing the Collector? Is it an email address or some other identity? Where can this identity token be seen?
There was a problem hiding this comment.
Sigstore docs say:
All signers should monitor the Fulcio CT log for unauthorized use of their identity, and all verifiers should look for alerts from consistency monitors.
What do we (Otel) do to monitor the CT log?
There was a problem hiding this comment.
Right now, nothing. I just created open-telemetry/sig-security#45 to track this.
There was a problem hiding this comment.
The identity is the JSON that is provided above in the readme and includes things like the github repo name and the workflow that generated it. The actual "Subject" of the token would be https://github.com/cpanato/opentelemetry-collector-releases/.github/workflows/release.yaml@refs/tags/v99.99.01 , in the readme's example.
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
|
@jpkrohling let me know when is good to update this PR to merge, to avoid keeping the updating this. |
|
Given that the -releases PR is merged, this one can be rebased and marked as ready! |
cpanato
force-pushed
the
doc-verify-images
branch
from
2d09309
to
233b262
Compare
|
@jpkrohling rebased, thanks! |
cpanato
force-pushed
the
doc-verify-images
branch
from
233b262
to
b9bc933
Compare
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
|
Folks, what's the status of this PR? It would be great to finalize and merge it. |
|
@tigrannajaryan i will do that tomorrow, sorry for the delay |
Signed-off-by: cpanato <ctadeu@gmail.com>
cpanato
force-pushed
the
doc-verify-images
branch
from
b9bc933
to
f04339d
Compare
|
@jpkrohling @tigrannajaryan made some changes and update the image reference PTAL |
.chloggen/doc-verify-images.yaml
Outdated
There was a problem hiding this comment.
We can omit a changelog for this
There was a problem hiding this comment.
I'm OK keeping this though, as it can help spread the word about our images being signed.
There was a problem hiding this comment.
will wait the decision to remove or keep :)
There was a problem hiding this comment.
let's keep this and merge the PR, if that's the only thing holding this PR
TylerHelmuth
added
the
Skip Changelog
.chloggen/doc-verify-images.yaml
Outdated
There was a problem hiding this comment.
I'm OK keeping this though, as it can help spread the word about our images being signed.
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
|
anything that i need to do? |
I don't think so, I just pinged @open-telemetry/collector-maintainers to see if this can be merged as is. |
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
…emetry#8990) **Description:** <Describe what has changed. - add documentation regarding verify images signatures related to open-telemetry/opentelemetry-collector-releases#207 Fixes: open-telemetry#9610 /assign @jpkrohling --------- Signed-off-by: cpanato <ctadeu@gmail.com> Co-authored-by: Juraci Paixão Kröhling <juraci@kroehling.de> Co-authored-by: Pablo Baeyens <pbaeyens31+github@gmail.com>
Description: <Describe what has changed.
related to open-telemetry/opentelemetry-collector-releases#207
Fixes: #9610
/assign @jpkrohling