Supporting Cosign Sigstore signing workflow

Question

Supporting Cosign Sigstore signing workflow

mgreau opened this issue a year ago · 2 comments

mgreau commented a year ago

Hi,

Starting with 8.8.0, the Elastic images are now signed with Cosign Sigstore as you can see below.

Do you have plans to support signing the "library" images?

Or even better a way for us to push our signed images there similar to the elastic images?

Thanks

cc @tianon

Elasticsearch - Docker Hub Elastic repository

cosign verify  \
           --key https://artifacts.elastic.co/cosign.pub \
           elastic/elasticsearch:8.8.0

Verification for index.docker.io/elastic/elasticsearch:8.8.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"docker.elastic.co/elasticsearch/elasticsearch"},"image":{"docker-manifest-digest":"sha256:9aaa38551b4d9e655c54d9dc6a1dad24ee568c41952dc8cf1d4808513cfb5f65"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIB6wscj/N6wUOhMq9pFSgaaji3d5HlOLsz2xiI40aW0mAiEA6nvDSPSwwfShSVbILUTbMFqVAfPWvrB5XXz13htMlUQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzZmYzZDIzZWVmOTliMDI3YWMzNjE2YWY2ZWQyZTk4MjgyMDRkOTY0MTU0MTQ4MzJiZTU5YThhMzAzZmRjN2YzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURIenVoV3pibkZsSUxVallMN2MxWm9TaVh3NzVPdmF2SldLVGsvcGRSQUhRSWhBS2hZSS9KTXZtNWJ6M3k2ajdvSzFQc2ZxUUQ0K01lQS9uSFB2a3F4UzIzVyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY1ZaMlRtUlJkR1JrZEdWdGRtWmpWV1V5VGpCbloxZ3ZjSFJxYVFwRlZYRjRlakp3UkZVM1ZWYzFiVE53WkcxSU1UTnJUVXR3ZURselJqUjJWVFZLVDJVM1ZYSXJSazVJVERkaFlXaE1hbWRIWXpBNGRXUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1685024464,"logIndex":21642671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"tag":"8.8.0"}}]

Elasticsearch - Elastic Container Registry

cosign verify  \
           --key https://artifacts.elastic.co/cosign.pub \
           docker.elastic.co/elasticsearch/elasticsearch:8.8.0

Verification for docker.elastic.co/elasticsearch/elasticsearch:8.8.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"docker.elastic.co/elasticsearch/elasticsearch"},"image":{"docker-manifest-digest":"sha256:9aaa38551b4d9e655c54d9dc6a1dad24ee568c41952dc8cf1d4808513cfb5f65"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIB6wscj/N6wUOhMq9pFSgaaji3d5HlOLsz2xiI40aW0mAiEA6nvDSPSwwfShSVbILUTbMFqVAfPWvrB5XXz13htMlUQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzZmYzZDIzZWVmOTliMDI3YWMzNjE2YWY2ZWQyZTk4MjgyMDRkOTY0MTU0MTQ4MzJiZTU5YThhMzAzZmRjN2YzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURIenVoV3pibkZsSUxVallMN2MxWm9TaVh3NzVPdmF2SldLVGsvcGRSQUhRSWhBS2hZSS9KTXZtNWJ6M3k2ajdvSzFQc2ZxUUQ0K01lQS9uSFB2a3F4UzIzVyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY1ZaMlRtUlJkR1JrZEdWdGRtWmpWV1V5VGpCbloxZ3ZjSFJxYVFwRlZYRjRlakp3UkZVM1ZWYzFiVE53WkcxSU1UTnJUVXR3ZURselJqUjJWVFZLVDJVM1ZYSXJSazVJVERkaFlXaE1hbWRIWXpBNGRXUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1685024464,"logIndex":21642671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"tag":"8.8.0"}}]

Elasticsearch - AWS ECR registry

cosign verify  \
           --key https://artifacts.elastic.co/cosign.pub \
           public.ecr.aws/elastic/elasticsearch:8.8.0

Verification for public.ecr.aws/elastic/elasticsearch:8.8.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"docker.elastic.co/elasticsearch/elasticsearch"},"image":{"docker-manifest-digest":"sha256:9aaa38551b4d9e655c54d9dc6a1dad24ee568c41952dc8cf1d4808513cfb5f65"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIB6wscj/N6wUOhMq9pFSgaaji3d5HlOLsz2xiI40aW0mAiEA6nvDSPSwwfShSVbILUTbMFqVAfPWvrB5XXz13htMlUQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzZmYzZDIzZWVmOTliMDI3YWMzNjE2YWY2ZWQyZTk4MjgyMDRkOTY0MTU0MTQ4MzJiZTU5YThhMzAzZmRjN2YzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURIenVoV3pibkZsSUxVallMN2MxWm9TaVh3NzVPdmF2SldLVGsvcGRSQUhRSWhBS2hZSS9KTXZtNWJ6M3k2ajdvSzFQc2ZxUUQ0K01lQS9uSFB2a3F4UzIzVyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY1ZaMlRtUlJkR1JrZEdWdGRtWmpWV1V5VGpCbloxZ3ZjSFJxYVFwRlZYRjRlakp3UkZVM1ZWYzFiVE53WkcxSU1UTnJUVXR3ZURselJqUjJWVFZLVDJVM1ZYSXJSazVJVERkaFlXaE1hbWRIWXpBNGRXUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1685024464,"logIndex":21642671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"tag":"8.8.0"}}]

Answer 1 · 2023-05-25T20:56:28.000Z

Happy to help here!

Answer 2 · 2023-07-28T19:00:40.000Z

Does anyone know where we can get the certificate authority used by elastic to sign the images? Without that we can't really verify it in a kubernetes cluster using Kyverno