Skip to content

Sign image builds #1219

New issue
New issue
Open
Open
Sign image builds#1219

Description

@mattmoor

mattmoor
openedon Dec 24, 2021

The images we publish here:

go-containerregistry/cloudbuild.yaml

Lines 26 to 37 in 2874338

# Use the ko binary to build the crane and gcrane builder images.
ko publish --platform=all -B github.com/google/go-containerregistry/cmd/crane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
ko publish --platform=all -B github.com/google/go-containerregistry/cmd/gcrane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
# Use the ko binary to build the crane and gcrane builder *debug* images.
export KO_CONFIG_PATH=./.ko/debug/
ko publish --platform=all -B github.com/google/go-containerregistry/cmd/crane -t "debug"
ko publish --platform=all -B github.com/google/go-containerregistry/cmd/gcrane -t "debug"
# Tag-specific debug images are pushed to gcr.io/go-containerregistry/{g}crane/debug:...
KO_DOCKER_REPO=gcr.io/$PROJECT_ID/crane/debug ko publish --platform=all --bare github.com/google/go-containerregistry/cmd/crane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"
KO_DOCKER_REPO=gcr.io/$PROJECT_ID/gcrane/debug ko publish --platform=all --bare github.com/google/go-containerregistry/cmd/gcrane -t latest -t "$COMMIT_SHA" -t "$TAG_NAME"

... should all be signed with cosign, ideally using the "keyless" flow.

For GCB-based keyless signing we can copy what distroless does here: https://github.com/GoogleContainerTools/distroless/blob/3ecf55603e31c8c01b4da2da8dc34a41757b778c/cloudbuild.yaml#L81-L82

... essentially the GCB SA is used to impersonate keyless@go-containerregistry.iam.gserviceaccount.com for the identity challenge. Some IAM needs to be configured, and then things just work 😉

I believe @jonjohnsonjr has to do this given the requirement that we futz with the GCP stuff, but @dlorenc or I would be happy to help navigate this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

enhancementNew feature or requestlifecycle/frozen

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions