Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(security): add cosign to sign image #58

Merged
merged 1 commit into from
Aug 28, 2024
Merged

feat(security): add cosign to sign image #58

merged 1 commit into from
Aug 28, 2024

Conversation

whg517
Copy link
Member

@whg517 whg517 commented Aug 23, 2024
edited
Loading

ref: #55

Since we are building the container in a container environment with buildah, we need to get the buildah container to support cosign signing and push the signing result to the mirror repository.

We need to do some extra work in the way we use cosign instead of github-action:

  1. Install the cosign command in the buildah container so that it can be used to sign the container after it is built.
  2. Passing oidc information from the github action environment into the buildah container allows cosign to keyless sign based on github authentication in the buildah container
  3. Fixed cosign not being able to use buildah cached authentication information directly in the buildah environment. ref: cosign sign does not use local image registry credentials sigstore/cosign#587 (comment)

Once the heredoc issue with buildah in ubuntu 24.04 environment is fixed, we can simply and easily complete these tasks using only github-action based mode.

@whg517 whg517 requested a review from lwpk110 August 23, 2024 08:57
@whg517 whg517 mentioned this pull request Aug 23, 2024
Closed
2 tasks
@whg517 whg517 force-pushed the feat/add-cosign branch 6 times, most recently from 0dbc2c2 to 4f2e88e Compare August 26, 2024 06:54
@whg517
Copy link
Member Author

whg517 commented Aug 26, 2024

@lwpk110 ready to review

@whg517 whg517 force-pushed the feat/add-cosign branch 4 times, most recently from 7fec352 to df9a280 Compare August 27, 2024 12:15
@whg517 whg517 merged commit 3612a37 into zncdatadev:main Aug 28, 2024
20 checks passed
@whg517 whg517 deleted the feat/add-cosign branch September 8, 2024 04:33
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lwpk110 lwpk110 lwpk110 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@whg517 @lwpk110