signing falcoctl binaries and container images

Question

signing falcoctl binaries and container images

developer-guy opened this issue 2 years ago · 6 comments

What would you like to be added:

As we have cosign as a container signing solution today, we can use cosign to sign falcoctl container images¹. cosign also provides a solution for signing the binary artifacts, and also goreleaser uses cosign under to hood to provide the signing capability.²

Why is this needed:

To provide better end-to-end integrity about the falcoctl artifacts both binaries and container images

I'm willing to work on it!

/cc @LucaGuerra

Answer 1 · 2023-01-27T09:09:02.000Z

kindly ping @LucaGuerra

Answer 2 · 2023-02-02T19:30:22.000Z

Hey @developer-guy thanks a lot for your interest! 🙇 I had the pleasure of chatting with you recently and I'd like to ask you if the way you propose would be the same that we use for Falcosidekick and if not, I believe we should pick one mechanism and use the same as we add new signatures as we're discussing in the supply chain security channel. Thanks a lot again!

Answer 3 · 2023-02-03T19:34:53.000Z

#232
yep, absolutely! The process would be the same as we did in Falcosidekick.
To clarify the process:

I'll add cosign-installer GitHub action to the workflow to be able to install cosign
I'll enable bunch of permissions on workflow to be able to enable OIDC auth flow with Fulcio
I'll add cosign sign command for signing

That's all we need in the first place.

Answer 4 · 2023-03-23T15:46:54.000Z

We have discussed this and we definitely want it! We have implemented the same in Falcosidekick already and it's a really welcome addition to falcoctl too along with all other official images :)

Answer 5 · 2023-03-23T15:54:06.000Z

I will take care this :) if nonone is against

Answer 6 · 2023-06-01T17:25:01.000Z

This is done!

Footnotes