Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign releases with cosign #1761

Closed
mattmoor opened this issue Oct 11, 2021 · 3 comments
Closed

Sign releases with cosign #1761

mattmoor opened this issue Oct 11, 2021 · 3 comments

Comments

@mattmoor
Copy link
Collaborator

Actual behavior

If I try to use the upstream kaniko images with cosigned enabled, the build pods are rejected.

Expected behavior

The upstream releases should be signed against the Fulcio root, so that folks can verify their signature.

Distroless does this with GCB here: https://github.com/GoogleContainerTools/distroless/blob/57231e548132eaef221708f0b7d46762efae9e42/cloudbuild.yaml#L71

I'd recommend following exactly this pattern if we can (incl. the serviceaccount name).

cc @priyawadhwa @dlorenc
@priyawadhwa
Copy link
Collaborator

Sgtm!

The only issue rn is that it looks like kaniko GCB builds have been broken for a few months now so images aren't being released or signed 😕 i'll try and get #1741 merged which might fix it 🤞🏽

@MFTabriz
Copy link

@priyawadhwa seems like even after the merge it's still not working correctly.

@aaron-prindle
Copy link
Collaborator

Releases are signed with cosign now as noted in the kaniko README.md docs - https://github.com/GoogleContainerTools/kaniko/blob/main/README.md#verifying-signed-kaniko-images

Closing

@mattmoor mattmoor mentioned this issue May 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aaron-prindle @mattmoor @priyawadhwa @MFTabriz