Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal - Signatures for Carvel Artifacts #668

Merged
merged 9 commits into from
Sep 29, 2023
Merged

Proposal - Signatures for Carvel Artifacts #668

merged 9 commits into from
Sep 29, 2023

Conversation

ThomasVitale
Copy link
Contributor

Proposal for introducing signatures for all Carvel artifacts as previously suggested in #619.

@netlify
Copy link

netlify bot commented Aug 8, 2023

Deploy Preview for carvel canceled.

Name Link
🔨 Latest commit ae0e108
🔍 Latest deploy log https://app.netlify.com/sites/carvel/deploys/6516febf1093dc0008cccded

Signed-off-by: Thomas Vitale <[email protected]>
Signed-off-by: Thomas Vitale <[email protected]>
Copy link
Contributor

@100mik 100mik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for putting this together 🙏🏼
Just added a few thoughts and called out some "nice to haves"!

proposals/carvel/002-artifact-signatures/README.md Outdated Show resolved Hide resolved
@ThomasVitale
Copy link
Contributor Author

@100mik thanks for your review. I have added examples in GitHub Actions of how to verify the signatures for both OCI and binary artifacts (including links to a couple of demos I made). I have also refined the suggestion for the binary artifacts part and included examples of how to integrate Cosign with GoReleaser, since that's the tool used by all Carvel projects.

Signed-off-by: Thomas Vitale <[email protected]>
Copy link
Member

@joaopapereira joaopapereira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proposal looks good.
The only question I would like to see answered before a thumbs up is, what are the plans for our GitHub action? Should it also verify that the binaries are signed? If so, we need to ensure we are backward compatible since we have older versions without signatures.

@ThomasVitale
Copy link
Contributor Author

@joaopapereira thanks for the review. Do you mean this Action? https://github.com/carvel-dev/setup-action I can see we are currently verifying the checksums against the checksums.txt file bundled with the specific release. We could extend that step so that if a signature is included among the artifacts part of the release, then we validate the signature, otherwise we don't. That way we can ensure backward compatibility. What do you think?

@joaopapereira
Copy link
Member

That sounds great to me. I will review it again when you add this part. Thanks for the great work.

@ThomasVitale
Copy link
Contributor Author

@joaopapereira I have added a section to describe the changes suggested for the Carvel GitHub Action.

Copy link
Member

@joaopapereira joaopapereira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@100mik 100mik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 🚀

Copy link
Member

@praveenrewar praveenrewar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you so much for the great work !!

Copy link
Member

@joaopapereira joaopapereira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are at the point where we can consider this Lazyly approved. @ThomasVitale please update the status and we will be able to merge it.

---
title: "Signatures for Carvel Artifacts"
authors: [ "Thomas Vitale <[email protected]>" ]
status: "in review"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
status: "in review"
status: "accepted"

Copy link
Contributor Author

@ThomasVitale ThomasVitale Sep 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joaopapereira Thanks, I updated the status

@100mik
Copy link
Contributor

100mik commented Sep 29, 2023

Green lights all the way!

@100mik 100mik merged commit 56245b8 into carvel-dev:develop Sep 29, 2023
4 checks passed
@100mik
Copy link
Contributor

100mik commented Sep 29, 2023

We should probably work towards having a flow that does not require commits to change statuses in the future 🤔

ashpect pushed a commit to ashpect/carvel that referenced this pull request Mar 3, 2024
* Proposal - Signatures for Carvel Artifacts

Signed-off-by: Thomas Vitale <[email protected]>

* Update proposal metadata

Signed-off-by: Thomas Vitale <[email protected]>

* Improve formatting

Signed-off-by: Thomas Vitale <[email protected]>

* Update proposal status

Signed-off-by: Thomas Vitale <[email protected]>

* Improve proposal after review

Signed-off-by: Thomas Vitale <[email protected]>

* Refined proposal for binaries + examples

Signed-off-by: Thomas Vitale <[email protected]>

* Fix typo

Signed-off-by: Thomas Vitale <[email protected]>

* Introduce changes to Carvel GH Action

Signed-off-by: Thomas Vitale <[email protected]>

* Update proposal status to 'accepted'

Signed-off-by: Thomas Vitale <[email protected]>

---------

Signed-off-by: Thomas Vitale <[email protected]>
Signed-off-by: ashpect <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants