Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are these the correct 'release' containers for log_[signer,server]? #2817

Open
vaikas opened this issue Sep 21, 2022 · 5 comments
Open

Are these the correct 'release' containers for log_[signer,server]? #2817

vaikas opened this issue Sep 21, 2022 · 5 comments

Comments

@vaikas
Copy link
Contributor

vaikas commented Sep 21, 2022

Hey there, in Sigstore we use Trillian and we were wondering if these are the correct locations where the released containers go (there were questions, since they were under trillian-opensource-ci)?

https://console.cloud.google.com/gcr/images/trillian-opensource-ci/GLOBAL/log_server
https://console.cloud.google.com/gcr/images/trillian-opensource-ci/GLOBAL/log_signer

Also, would it be possible to add signatures for them (or if they already are, pointer to it) so that we can verify they were indeed generated by the trusted releases.
@k4leung4 k4leung4 mentioned this issue Dec 19, 2022
Closed
4 tasks
@cpanato
Copy link
Contributor

cpanato commented May 30, 2023

To sign the image releases using Cloudbuild we will need to define from where the signing key will come, if will be from a generated one using cosign or if we will use a keyless approach, and then for that, we will need to have a service account with the creator token role.

I prefer the second option, but then we will need some one from google with the Trillian GCP project access to create it.

I can work on the Cloudbuild update to support that.

@JAORMX
Copy link
Collaborator

JAORMX commented May 30, 2023

@AlCutter could you take a look at this?

@AlCutter
Copy link
Member

AlCutter commented Jun 6, 2023

Hi all, these images weren't really intended to be "release" images, they were more just for use in our CI environment which happened to also provide an easy way for folks to bring up a local instance for playing around with.

I guess doing "proper" signed release images is something we could look into, but we'd have to schedule that into our planning cycle.

@cpanato
Copy link
Contributor

cpanato commented Jul 6, 2023

@AlCutter let me know where i can help! will be glad to do

@haydentherapper
Copy link

@mhutchinson A related issue to what we chatted about. It would be helpful to log deployers if they could use a canonical image rather than maintain their own.

Another alternative to Cloud Build would be using Goreleaser in a GitHub Actions workflow to cut and release containers. We've done this for some of the Sigstore projects, which will build both binaries and containers. Also it would be straightforward to sign the container with Cosign or generate provenance too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JAORMX @cpanato @AlCutter @haydentherapper @vaikas