Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signature and SLSA attestation for all Carvel artifacts #619

Open
ThomasVitale opened this issue Jan 30, 2023 · 3 comments
Open

Signature and SLSA attestation for all Carvel artifacts #619

ThomasVitale opened this issue Jan 30, 2023 · 3 comments
Labels
carvel accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request priority/important-soon Must be staffed and worked on currently or soon.

Comments

@ThomasVitale
Copy link
Contributor

ThomasVitale commented Jan 30, 2023

Describe the problem/challenge you have

Currently, the artefacts produced by the different Carvel projects (binaries, images, bundles) are not signed. It would be nice if they were all signed to help with the implementation of supply chain security practices on the consumer side, requiring verification and provenance attestation of any third-party tool.

More and more cloud native projects started adopting Sigstore for signing and verifying artefacts. It would be great if all Carvel artefacts were signed with Sigstore cosign. There's a "Sigstore Landscape" in the OpenSSF with all the projects using Sigstore. It would be nice to include Carvel there. For GitHub based builds, the official Sigstore GitHub Action to install cosign could be used.

As part of improving supply chain security, SLSA provides a framework to guarantee the integrity of software artefacts, with different levels of compliance.

One of the main concepts introduced by SLSA is the provenance "to trace software back to the source and define the moving parts in a complex supply chain". It's defined as "the verifiable information about software artifacts describing where, when and how something was produced".

It would be a great addition to Carvel if all the project artefacts were not only signed, but also provided with a signed provenance attestation following the standard in-toto format. Such attestation would contain information about how each artifact was built. For GitHub-based builds, there is an attestation generator provided by the SLSA project: https://github.com/slsa-framework/slsa-github-generator.

@ThomasVitale ThomasVitale added carvel-triage enhancement This issue is a feature request labels Jan 30, 2023
@github-project-automation github-project-automation bot moved this to To Triage in Carvel Jan 30, 2023
@neil-hickey neil-hickey added carvel accepted This issue should be considered for future work and that the triage process has been completed priority/important-soon Must be staffed and worked on currently or soon. and removed carvel-triage labels Feb 22, 2023
@neil-hickey neil-hickey moved this from To Triage to Unprioritized in Carvel Feb 22, 2023
@ThomasVitale
Copy link
Contributor Author

Interesting info about how other projects handled this:

@ThomasVitale
Copy link
Contributor Author

I've started working on an RFC for this. I will publish a first draft here soon.

@microwavables microwavables changed the title Signature and SLSA attestation for all Carvel artefacts Signature and SLSA attestation for all Carvel artifacts Jan 8, 2024
@ThomasVitale
Copy link
Contributor Author

Signatures are now implemented for all Carvel artifacts (see #691).
Next step will be adding SLSA attestations and SBOMs. I'm working on a followup RFC for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
carvel accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request priority/important-soon Must be staffed and worked on currently or soon.
Projects
Status: Unprioritized
Development

No branches or pull requests

2 participants