Signature and SLSA attestation for all Carvel artifacts #619
Labels
carvel accepted
This issue should be considered for future work and that the triage process has been completed
enhancement
This issue is a feature request
priority/important-soon
Must be staffed and worked on currently or soon.
Describe the problem/challenge you have
Currently, the artefacts produced by the different Carvel projects (binaries, images, bundles) are not signed. It would be nice if they were all signed to help with the implementation of supply chain security practices on the consumer side, requiring verification and provenance attestation of any third-party tool.
More and more cloud native projects started adopting Sigstore for signing and verifying artefacts. It would be great if all Carvel artefacts were signed with Sigstore cosign. There's a "Sigstore Landscape" in the OpenSSF with all the projects using Sigstore. It would be nice to include Carvel there. For GitHub based builds, the official Sigstore GitHub Action to install cosign could be used.
As part of improving supply chain security, SLSA provides a framework to guarantee the integrity of software artefacts, with different levels of compliance.
One of the main concepts introduced by SLSA is the provenance "to trace software back to the source and define the moving parts in a complex supply chain". It's defined as "the verifiable information about software artifacts describing where, when and how something was produced".
It would be a great addition to Carvel if all the project artefacts were not only signed, but also provided with a signed provenance attestation following the standard in-toto format. Such attestation would contain information about how each artifact was built. For GitHub-based builds, there is an attestation generator provided by the SLSA project: https://github.com/slsa-framework/slsa-github-generator.
The text was updated successfully, but these errors were encountered: