signing falcoctl binaries and container images
developer-guy opened this issue · 6 comments
What would you like to be added:
As we have cosign as a container signing solution today, we can use cosign to sign falcoctl container images1. cosign also provides a solution for signing the binary artifacts, and also goreleaser uses cosign under to hood to provide the signing capability.2
Why is this needed:
To provide better end-to-end integrity about the falcoctl artifacts both binaries and container images
I'm willing to work on it!
/cc @LucaGuerra
Footnotes
kindly ping @LucaGuerra
Hey @developer-guy thanks a lot for your interest!
#232
yep, absolutely! The process would be the same as we did in Falcosidekick.
To clarify the process:
- I'll add cosign-installer GitHub action to the workflow to be able to install cosign
- I'll enable bunch of permissions on workflow to be able to enable OIDC auth flow with Fulcio
- I'll add
cosign sign
command for signing
That's all we need in the first place.
We have discussed this and we definitely want it! We have implemented the same in Falcosidekick already and it's a really welcome addition to falcoctl
too along with all other official images :)
I will take care this :) if nonone is against
This is done!