Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update page Verify Signed Kubernetes Artifacts for cosign 2.0 #39775

Closed
kranurag7 opened this issue Mar 3, 2023 · 8 comments · Fixed by #41071
Closed

Update page Verify Signed Kubernetes Artifacts for cosign 2.0 #39775

kranurag7 opened this issue Mar 3, 2023 · 8 comments · Fixed by #41071
Assignees
@mrgiles
Labels
kind/bug Categorizes issue or PR as related to a bug. language/en Issues or PRs related to English language sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@kranurag7
Copy link
Contributor

This is a Feature Request
After cosign 2.0 release, we don't need COSIGN_EXPERIMENTAL=1. We should update the instructions on the task page to include verification using cosign 2.0

What would you like to be added

verification using cosign 2.0 
~ $ cosign verify registry.k8s.io/kube-apiserver:v1.26.0 --certificate-identity-regexp [email protected] --certificate-oidc-issuer https://accounts.google.com | jq .

Verification for registry.k8s.io/kube-apiserver:v1.26.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
[
  {
    "critical": {
      "identity": {
        "docker-reference": "europe-west1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-apiserver"
      },
      "image": {
        "docker-manifest-digest": "sha256:d230a0b88a3daf14e4cce03b906b992c8153f37da878677f434b1af8c4e8cc75"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "1.3.6.1.4.1.57264.1.1": "https://accounts.google.com",
      "Bundle": {
        "SignedEntryTimestamp": "MEYCIQDnvT+cu60FogfZIdroUCP3Mrckp9aILhcvFik9k+NoLwIhAMoZ+shE4tj4SNbN+a29YfAmloCm3S8tZ3jCDbC4o+/B",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5NGYyZTZlY2FiNTY3YzcwMjQxYjNhN2M5ZTNiMzZlYjg1ZGFkOTEzZDY5M2M5MTgzNmY3MGJkNTNhZjljODI5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUM2b1BTbSs1cldHY2ptTnR0eTR6dHVUeVBMRnM5dlk5eFZVUmswaWZjWENRSWdRdURQOGlxbzB2QysweGxHTm11QU5VUGx1QVoxZEpSd0FGRzlxdXY2RlY4PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjJla05EUVd0VFowRjNTVUpCWjBsVlIxSkZhVXhqVDJjdlYySlFNekkwUlhodFRsTk9Xamt6TlhaemQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEplRTFxUVRSTmFrMTVUMFJSZVZkb1kwNU5ha2w0VFdwQk5FMXFUWHBQUkZGNVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVV6VEZGT1VsSkdXREJPY1UwMFUyRlBlVWhuWWxCNmVrWXdTVEF5VkRWUldrTkpNMEVLZVdkaGNIaFRlVU5JYUVWa1F5OVljV3BxZEU5MlZXdFFRamRYUjNwYVF6QmpaMUZOZFhaM1pIWnZURFpXTVVoNFNYRlBRMEZYVFhkblowWm1UVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZpYUU5NENrMW1WRlJxZEVwMk4wdHNaRmRUUkVoNFJYaG1TVUZKZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFGQldVUldVakJTUVZGSUwwSkVXWGRPU1VWNVlUTktiR0pETVRCamJsWjZaRVZDY2s5SVRYUmpiVlp6V2xjMWJreFlRbmxpTWxGMVlWZEdkQXBNYldSNldsaEtNbUZYVG14WlYwNXFZak5XZFdSRE5XcGlNakIzUzFGWlMwdDNXVUpDUVVkRWRucEJRa0ZSVVdKaFNGSXdZMGhOTmt4NU9XaFpNazUyQ21SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVbEhTMEpuYjNKQ1owVkZRV1JhTlVGblVVTkNTSGRGWldkQ05FRklXVUV6VkRCM1lYTmlTRVZVU21vS1IxSTBZMjFYWXpOQmNVcExXSEpxWlZCTE15OW9OSEI1WjBNNGNEZHZORUZCUVVkRk9VSklabFJuUVVGQ1FVMUJVbnBDUmtGcFJVRjVhRlZKUzNkUVJRcHVaMEZTYlZGeU5tMTZlazlpZERkalpESXhhMjV2TjFSaGEycDVVMUlyYXpGRk1FTkpRMlp0TDJ4elQwaDNjM05sVWpod1oyUm9VRWRHZW1GaVZVTjZDakpNUXpBNVRuUmpVM1JSYlRKWWFXVk5RVzlIUTBOeFIxTk5ORGxDUVUxRVFUSnJRVTFIV1VOTlVVTlJkRWRQZWs1YUswWldkU3RpUXk4d1FXVm9SSFlLUmtaclMya3liMkZNVldkMWVHeDVaMHN2YmtKUVZtcE9aakkxZVVoWlFXazNXVTF2Ym01UFQzRXdORU5OVVVRck5XVnVibEJpVUZWNGVrTkVhMGRqZEFwT1YyNTFUVEpSZVZVclVXUmhSRkJEWW1oYWFHTkxUelZRWjNSRVJUaDRWRkZ5TTBRNVprVTFPVU4yWmpFNWJ6MEtMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0ifX19fQ==",
          "integratedTime": 1670542146,
          "logIndex": 8691003,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "Issuer": "https://accounts.google.com",
      "Subject": "[email protected]",
      "org.kubernetes.kpromo.mirrors": "asia-northeast2-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,us-west1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,us.gcr.io/k8s-artifacts-prod/kubernetes/kube-controller-manager-amd64,us-south1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,us-west2-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,europe-west9-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,us-west1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,asia-northeast1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,europe-north1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,europe-southwest1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,asia-east1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,australia-southeast1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,us-east4-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,asia-northeast2-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,us-south1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,europe-west1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,asia.gcr.io/k8s-artifacts-prod/kubernetes/kube-controller-manager-amd64,us-central1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,asia-northeast1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,us-east1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,asia.gcr.io/k8s-artifacts-prod/kube-controller-manager-amd64,europe-west2-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,southamerica-west1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,europe-west8-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,us-east5-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,asia-south1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,us-east4-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,us-west2-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,eu.gcr.io/k8s-artifacts-prod/kube-controller-manager-amd64,europe-north1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,southamerica-west1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,europe-west4-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,eu.gcr.io/k8s-artifacts-prod/kubernetes/kube-controller-manager-amd64,us.gcr.io/k8s-artifacts-prod/kube-controller-manager-amd64,europe-west8-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,asia-south1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,europe-west9-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,australia-southeast1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,us-central1-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,asia-east1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,us-east5-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,europe-west2-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-controller-manager-amd64,europe-southwest1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,europe-west4-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,us-east1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64,europe-west1-docker.pkg.dev/k8s-artifacts-prod/images/kube-controller-manager-amd64"
    }
  }
]

Add a note if cosign version < 2.0

Why is this needed
There are some breaking changes in cosign 2.0 and we should update the instruction for the verification of images.
Comments
@kranurag7 kranurag7 added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 3, 2023
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Mar 3, 2023
@sftim
Copy link
Contributor

sftim commented Mar 8, 2023

/sig release
/sig security

/retitle Update page Verify Signed Kubernetes Artifacts for cosign 2.0
/kind bug
/remove-kind feature
/language en

/triage accepted

Thanks

@k8s-ci-robot k8s-ci-robot changed the title Update instructions for verification of Kubernetes images Update page Verify Signed Kubernetes Artifacts for cosign 2.0 Mar 8, 2023
@k8s-ci-robot k8s-ci-robot added sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security. kind/bug Categorizes issue or PR as related to a bug. language/en Issues or PRs related to English language triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed kind/feature Categorizes issue or PR as related to a new feature. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 8, 2023
@sftim
Copy link
Contributor

sftim commented Mar 8, 2023

Add a note if cosign version < 2.0

👍

@gracenng
Copy link
Member

gracenng commented Mar 9, 2023

I can work on this
/assign

@kranurag7
Copy link
Contributor Author

Hey @gracenng Are you still working on this issue? If not, can I work on this?

@gracenng
Copy link
Member

Haven't gotten to it as I expected to. Please feel free to work on it
/unassign

@mrgiles
Copy link
Contributor

mrgiles commented Apr 28, 2023

/assign

@mrgiles mrgiles mentioned this issue Apr 30, 2023
Closed
@mrgiles
Copy link
Contributor

mrgiles commented May 1, 2023

FYI @sftim

This was referenced May 6, 2023
Merged
Merged
@kranurag78
Copy link

@mrgiles Apologies for not being able to review the PR. I am going through University exams which is ending tomorrow. I just rushed through the changes that you made and you really did awesome work on this. I'll look more into this after the exams.
Thanks for working on this.

@kranurag7 kranurag7 mentioned this issue May 16, 2023
Closed
@mrgiles mrgiles mentioned this issue Jun 28, 2023
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrgiles mrgiles

Labels
kind/bug Categorizes issue or PR as related to a bug. language/en Issues or PRs related to English language sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
6 participants
@mrgiles @k8s-ci-robot @sftim @gracenng @kranurag7 @kranurag78