Feature: add support for keyless signed release

[laurentsimon]

We should add support for keyless cosign signing in the Signed-Release check.

cc @asraa

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[github-actions]

This issue has been marked stale because it has been open for 60 days with no activity.

[dadrus]

I recently added the ossf scorecard to my project (https://github.com/dadrus/heimdall) and unfortunately was hit by the lack of keyless signing support, which obviously provides the required attestation. Without this support, the corresponding score can be considered a false negative without an option to fix it, which also means it is lower as it should be for my project.

Really appreciate if you address this FR.

See also the corresponding discussion in Slack: https://openssf.slack.com/archives/C0235AR8N2C/p1711287556171039?thread_ts=1711287556.171039&cid=C0235AR8N2C

[adam-moss]

We are currently looking to roll scorecard into ~13k projects, keyless signing is definitely desirable from our point-of-view as we're in the process on going "all-in" on sigstore and ephemeral keys

[laurentsimon]

I think we have support at HEAD looking for .sigstore files, but we have not released yet. /cc @spencerschrock

[dadrus]

@laurentsimon: Could you please share a link to the corresponding PR? I would like to understand whether it would solve the issue I'm currently facing. .sigstore file doesn't say anything to me.

[spencerschrock]

@laurentsimon: Could you please share a link to the corresponding PR? I would like to understand whether it would solve the issue I'm currently facing. .sigstore file doesn't say anything to me.

The relevant PR would be #3772, but I don't think it would help in your case

@laurentsimon the repo in question uses this goreleaser config
https://github.com/dadrus/heimdall/blob/f7d4aaab9ab34fa6c0babb9a31a733356ab0f8c2/.goreleaser.yaml#L50-L53 which you can see in the artifacts:
https://github.com/dadrus/heimdall/releases

[dadrus]

Actually, there is more. Since goreleaser cannot properly sign sbom and attach it to the container images, there are https://github.com/dadrus/heimdall/blob/4f018677b6e2e6b2b5a2cf30220b6cd90fdc8227/.github/workflows/ci.yaml#L428-L453 (for dev images) and https://github.com/dadrus/heimdall/blob/4f018677b6e2e6b2b5a2cf30220b6cd90fdc8227/.github/workflows/ci.yaml#L529-L562 (for the released images) in place.
Both result in additional packages you can find in GH (heimdall-sbom and heimdall-signatures, with first being the signed SBOM and the second being the signature of the image, with both providing the same provenance as also available for regular binaries) and in DockerHub (with the same capabilities)

[dadrus]

@spencerschrock: you're right, #3772 indeed won't help

One question: Is there some information expected beyond what is available with Sigstore provenance? Here what is available. If you e.g. download https://github.com/dadrus/heimdall/releases/download/v0.13.0-alpha/heimdall_v0.13.0-alpha_darwin_amd64.tar.gz-keyless.pem and run cat heimdall_v0.13.0-alpha_darwin_amd64.tar.gz-keyless.pem | base64 -d | openssl x509 -text -noout, you can see

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:70:33:86:76:56:8c:d3:21:91:a4:e3:47:66:2c:2d:2a:3b:f2:17
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: O = sigstore.dev, CN = sigstore-intermediate
        Validity
            Not Before: Jan  3 14:09:00 2024 GMT
            Not After : Jan  3 14:19:00 2024 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:5f:01:ae:ec:95:a0:c8:cc:08:13:d9:0d:93:dc:
                    85:4f:89:a5:79:6d:ca:5f:9c:44:cf:f2:17:d2:d7:
                    fd:41:39:0d:a2:44:cd:5b:08:77:89:17:0d:bb:86:
                    83:8a:a7:de:36:ea:49:11:16:17:e1:b3:f1:4f:51:
                    f5:39:7b:59:c3
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Subject Key Identifier: 
                98:17:05:60:BB:1D:8B:15:D2:15:CC:52:BF:BA:FA:2E:DC:B8:20:1E
            X509v3 Authority Key Identifier: 
                DF:D3:E9:CF:56:24:11:96:F9:A8:D8:E9:28:55:A2:C6:2E:18:64:3F
            X509v3 Subject Alternative Name: critical
                URI:https://github.com/dadrus/heimdall/.github/workflows/ci.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.1: 
                https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.2: 
                push
            1.3.6.1.4.1.57264.1.3: 
                0a89ca3660000094366df83c68762140e579ec86
            1.3.6.1.4.1.57264.1.4: 
                CI
            1.3.6.1.4.1.57264.1.5: 
                dadrus/heimdall
            1.3.6.1.4.1.57264.1.6: 
                refs/heads/main
            1.3.6.1.4.1.57264.1.8: 
                .+https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.9: 
                .Lhttps://github.com/dadrus/heimdall/.github/workflows/ci.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.10: 
                .(0a89ca3660000094366df83c68762140e579ec86
            1.3.6.1.4.1.57264.1.11: 
github-hosted   .
            1.3.6.1.4.1.57264.1.12: 
                ."https://github.com/dadrus/heimdall
            1.3.6.1.4.1.57264.1.13: 
                .(0a89ca3660000094366df83c68762140e579ec86
            1.3.6.1.4.1.57264.1.14: 
                ..refs/heads/main
            1.3.6.1.4.1.57264.1.15: 
                ..480728437
            1.3.6.1.4.1.57264.1.16: 
                ..https://github.com/dadrus
            1.3.6.1.4.1.57264.1.17: 
                ..10072595
            1.3.6.1.4.1.57264.1.18: 
                .Lhttps://github.com/dadrus/heimdall/.github/workflows/ci.yaml@refs/heads/main
            1.3.6.1.4.1.57264.1.19: 
                .(0a89ca3660000094366df83c68762140e579ec86
            1.3.6.1.4.1.57264.1.20: 
                ..push
            1.3.6.1.4.1.57264.1.21: 
                .Ehttps://github.com/dadrus/heimdall/actions/runs/7398184009/attempts/1
            1.3.6.1.4.1.57264.1.22: 
                ..public
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DD:3D:30:6A:C6:C7:11:32:63:19:1E:1C:99:67:37:02:
                                A2:4A:5E:B8:DE:3C:AD:FF:87:8A:72:80:2F:29:EE:8E
                    Timestamp : Jan  3 14:09:00.630 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:4A:D5:EC:4C:FE:50:E8:D6:6F:EF:31:E1:
                                3A:0B:BE:15:ED:32:C5:B1:66:2A:F5:B6:1F:80:AF:D2:
                                12:A4:80:88:02:21:00:B1:62:03:BF:DB:54:1A:5F:09:
                                57:92:63:58:94:63:8B:35:13:2E:7D:BD:12:4E:47:E0:
                                49:7A:A4:B7:A4:33:99
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:64:02:30:75:b6:fb:cb:a6:d1:fe:1d:08:40:e1:cd:62:f4:
        93:f1:c9:9b:ec:49:37:e4:76:5f:65:ac:28:95:fe:a1:6a:7e:
        4b:71:a0:26:d7:a8:7b:75:da:c4:15:e0:b5:94:77:85:02:30:
        7a:2e:7e:9c:bc:9c:e7:42:0f:34:36:d0:ad:09:c5:1a:cb:57:
        7e:50:71:29:cc:ea:cd:d1:02:96:89:31:d4:19:7d:7f:22:6f:
        da:ca:a4:0b:78:06:0c:63:7b:c7:b5:82

The definitions of the OIDs can be found in https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md