60 Replies
FYI I've done some testing of my own custom image using the PR in bluefin as a guide ( @Gerblesh @Robert (p5) you may be interested )
Here's my findings:
1) yes, I can sign my image with OIDC / keyless
2) sadly, the PR in Bluefin probably won't actually sign successfully as it attempts to sign tags not an imageURI, but I got it working in my custom image repo
3) yes, I can directly rebase from
ublue-os/silverblue-main to my oidc signed image with a URI like ostree-image-signed:docker://ghcr.io/bsherman/silverblue-custom:latest ... BUT!
4) because of our containers policy which has insecureAcceptAnything... it is actually doing a blind trust... I could just as easily rebase to an ancient image of mine which was not signed with OIDC
since that policy file is part of the ublue-os main repo, it'll impact any downstream trying to do this, given a false sense of security about validating the target rebase image
Here's an example of a rebase from stock upstream silverblue:
First establish status
Now attempt to rebase to an old image with generated keypair signing
Now attempt to rebase to new image with OIDC signing
Here's that first image again, failing oidc validation:
But the second succeeds:
I'm up WAY past my bedtime, but I'll look at this some more... I believe we need a policy to validate ublue-os images signed this way... which will improve our overall security, and... not give our users false sense of validation which seems to be happening at this time.That's some really good info. Thanks for finding this out!
I did a bit of looking for info on container policy.json and found some examples...
I haven't had a chance to test yet: https://www.mankier.com/5/containers-policy.json#Examples
containers-policy.json: syntax for the signature verification polic...
Signature verification policy files are used to specify policy, e.g.
For reference, where I'm signing in a workflow:
https://github.com/bsherman/ublue-custom/blob/main/.github/workflows/build.yml#L181-L191
tysm for looking into this!
@Luke Skywunker should we make a tracking issue for this on bluebuild?
Yes, it sounds like we'll still need to make changes to the policy.json. We'll just have to figure out some workflow on the user side to make it easier for them.
I can modify the signing module to check for no pubkey and use OIDC policy.json instead of the normal one
Oh do we have a special OIDC policy.json?
Ehh, we could still probably just use
yqOne is required in order to verify these images from rpm-ostree
It looks pretty straightforward
Judging from the reference sent
my eyes glazed over the other night, I was too tired 😄
And you can still directly rebase, even if it isn't verified
I'm worried about non-host OIDC images though
I wonder if we could incorporate updating the policy.json using
bluebuild to get it to trust the image source before we start the rebase processcorrect, but it's a bit of a lie, because the rpm-ostree process has a URI which indicates it has verified the image, but it has not
Since it gets baked in the image at
/usr/etc/containers/ that means it becomes available in /etc/containers/ and becomes "writeable"
There is a section in the policy.json for ostree. I wonder if setting that to be strict to the user's repo would allow rpm-ostree to properly verify the image before rebasingFair yeah
Is it a bug then?
Since it's
ostree-image-signeda bug in ublue maybe, but not in rpm-ostree itself, our
/etcc/containers/policy.json forces insecureAcceptAnything and that's why it passes
the way i read the example containers policy ddoc I sent... i think if ublue-os used oidc signing, we'd need something like this in our policy:
"default" is "reject" though
How do we get the fulcio cert?
I thought cosign only needs the oidc issuer and github ref to verify
correct... if you are starting from the default silverblue containers policy, rpm-ostree would correctly fail to rebase to
ostree-image-signed:docker://ghcr.io/ublue-os/foo-main:latest regardless of type of signing
i'm just reading the docs, i've not testedyet
also that link I shared is bascially the same content as man containers-policy.jsonDo you know?
there's a URL in the doc... i haven't pursued it further
GitHub
sigstore/pkg/tuf/repository/targets at main · sigstore/sigstore
Common go library shared across sigstore services and clients - sigstore/sigstore
GitHub
root-signing/repository/repository/root.json at main · sigstore/roo...
Contribute to sigstore/root-signing development by creating an account on GitHub.
put the following into my
policy.json and updating with rpm-ostree gave me this error:
cosign verify is working so the image is definitely signed
@Luke Skywunker got any ideas here?
I have both the certs:
this is all manual atm as i'm just trying to figure out what configuration actually works before I automate everything in the image buildI'm not sure. We might have to do some digging into the docs for rpm-ostree
getting somewhere
It now errors here:
I needed to specify to use sigstore attachments with
container-registries.d
like beforeSo I think it's looking for your git email
Or whatever email was used to run the action?
idk
this is what it gives me when I use
cosign verifyCould you use that instead of
subjectEmail? So it would be:
tried that, same error
got
[]string(nil) does this mean that there's no subject email?yet in the JSON it omits the config option when it's blank here:
https://github.com/containers/image/blob/afda0f0452d6b3fe41c99890ddfcff7b91aba123/signature/policy_types.go#L156
GitHub
image/signature/policy_types.go at afda0f0452d6b3fe41c99890ddfcff7b...
Work with containers' images. Contribute to containers/image development by creating an account on GitHub.
I haven't used go but does this mean that signature verification of keyless images signed in github actions doesn't work with skopeo?
might be missing something here
Maybe use this type of signing?
https://github.com/containers/image/blob/afda0f0452d6b3fe41c99890ddfcff7b91aba123/signature/policy_types.go#L111
GitHub
image/signature/policy_types.go at afda0f0452d6b3fe41c99890ddfcff7b...
Work with containers' images. Contribute to containers/image development by creating an account on GitHub.
Wait that's still part of it
Not used to reading golang
GitHub
image/signature/fulcio_cert.go at afda0f0452d6b3fe41c99890ddfcff7b9...
Work with containers' images. Contribute to containers/image development by creating an account on GitHub.
rip
Yeah....
@bsherman we hit a dead end here
we could try drafting up a PR that fixes this, but I know next to nothing about go
this is my concern with using OIDC github signing, I've yet to see how to validate from containers-policy.json...
and even if we can... I'm really don't believe this is a significant improvement over the keypair method
i guess it does remove the keypair generation step
it improves security yeah, and gets rid of the keypair step
that is, it would improve security if containers-policy.json supported it
i disagree that using oidc github signing is a signficant security improvement over keypairs...
I do agree that it removes a step from the signing process
bluebuild could totally add a workflow to update a user's policy.json before rebasing to their image
Buteven if we were to merge the functionality into
containers/image we'd have to wait for a release, skopeo to bump the library, and then rpm-ostree to bump skopeoThat dead end
I'll look and see if there are any open issues for this functionality
I wouldn't mind taking the time to figure out how to implement it
I do find the topic interesting... and I got involved here to test and validate the PR in bluefin.
But... at least on the ublue/bluefin/bazzite side of things... I don't see the current situation as a problem needing a fix.
My current main focus is improving the ublue CI processes to be more reliable.
yeah I understand, originally I thought containers-policy.json would automatically verify the signatures so it would've made rebasing easier, until you looked into it
yes, and i agree, if that had been the case, I would have helped make the change fairly quickly.
There's this issue which is kinda close https://github.com/containers/image/issues/2027
GitHub
Request for Sigstore signature verification enhancement and flexibi...
Currently, we are able to verify container images with sigstore signatures using public key/Fulcio/Rekor, as described here. However, there are additional verifications supported by cosign, such as...
Fully agreed. There needs to be more upstream changes before we can even encourage using keyless
time to switch back to public-private key pair for now I guess
might want to add a note that OIDC images can't be verified by
rpm-ostree with containers-policy.jsonYeah that's still the first tried option in
bluebuildI think keeping the signing logic is fine but we should outline that somewhere
Agreed
Thanks @bsherman for trying things out!
unfortunate we can't use OIDC signing but i'm really glad you were able to spot this!
otherwise we would've thought out images were being verified when in reality they weren't
One thing to note, and I'm about to test... I THINK one can SIGN with both methods, but only verify with keypair... so you could implement that
future proofing
Doing both, that's a good idea
GitHub
Accept URI for Sigstore Signed Images by lukewarmtemp · Pull Reques...
Fixes coreos/rpm-ostree#4272 (comment)
Allows for container images signatures with a URI instead of a email
address as the SAN. This is needed in certain cases such as using a github workflow to si...