request #22240 Sign Docker images using Cosign

Artifact

Infos

Artifact ID#22240

Submitted byThomas Gerbet (tgerbet)

Last Modified On2021-08-10 12:55

Submitted on2021-07-22 09:46

Rank23807

Details

Summary *

Sign Docker images using Cosign

Original Submission

The goal is to provide a way for users to verify the authenticity of the image they download and deploy.

The images are going to be signed using Cosign.

Three different keypairs will be generated to manage the different build context:

one will be used to sign the Tuleap Community Docker image
one will be used to sign the Tuleap Enterprise Docker image
one will be use to sign the Docker images used for everything that is not meant to be used on production server (e.g. ghcr.io/enalean/tuleap-test-phpunit:c7-php74)

The keys will be managed by the instance of HashiCorp Vault maintained by Enalean (in the same way we currently do for the GPG keys used to sign the RPM packages).

The Tuleap documentation will be updated to show how the verification can be done. Advanced use cases such as blocking non signed with, for example, Open Policy Agent will be left as an exercise to the readers.

CategoryDocker images

Reported in versionEmpty

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2021-08-10

Attachments

Connected artifacts

Artifact links

Empty

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #22240

Git commit

tuleap/tools/release-manifest

Sign Tuleap Community Docker image wiht Cosign master 799cee2de4

Thomas Gerbet (tgerbet) , 2021-07-26 11:37

tuleap/tools/sign-packages-repositories

Add an image to sign Docker images master ac4b813cd6

Thomas Gerbet (tgerbet) , 2021-07-23 17:41

tuleap/tuleap/stable

Update nixpkgs pin bfd7cf351c

Thomas Gerbet (tgerbet) , 2021-07-22 10:53

Add Cosign to the build tools c61e884c79

Thomas Gerbet (tgerbet) , 2021-07-23 11:43

ADR: Docker images signatures / Verify Docker images authenticity d4b10151bb

Thomas Gerbet (tgerbet) , 2021-07-23 09:48

Verify signatures of Docker images that developers pull explicitly 4cd7336362

Thomas Gerbet (tgerbet) , 2021-08-06 12:25

tuleap/u/tgerbet/tools/release-manifest

Sign Tuleap Community Docker image wiht Cosign 799cee2de4

Thomas Gerbet (tgerbet) , 2021-07-26 11:37

Show items referenced by request #22240

Referenced by request #22240

Other

Follow-ups

Thomas Gerbet (tgerbet)

2021-08-10 12:55

Status changed from Under implementation to Closed
Close date set to 2021-08-10

Benjamin Bouillot (ben.bouillot)

2021-08-09 10:27

gerrit #23627 (Verify signatures of Docker images that developers pull explicitly) integrated into Tuleap 12.11.99.139

Manuel Vacelet (vaceletm)

2021-07-27 13:23

Documentation was updated

Manuel Vacelet (vaceletm)

2021-07-27 13:08

gerrit #23490 ADR: Docker images signatures / Verify Docker images authenticity - integrated in Tuleap 12.11.99.33

Marie Ange Garnier (marieange)

2021-07-23 16:23

gerrit #23501 integrated into Tuleap 12.11.99.17

Joris MASSON (jmasson)

2021-07-22 18:14

gerrit #23488 integrated in Tuleap 12.11.99.10