Merge pull request #1454 from GoogleContainerTools/remove-kms-singing

remove kms singing of builds, keyless only
GoogleContainerTools · Nov 6, 2023 · 55218c7 · 55218c7
2 parents dad0141 + fda6987
commit 55218c7
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 18 deletions.
diff --git a/.cloudbuild/cloudbuild.yaml b/.cloudbuild/cloudbuild.yaml
@@ -16,7 +16,6 @@ steps:
       - COMMIT_SHA=${COMMIT_SHA}
       - REGISTRY=gcr.io
       - REMOTE_CACHE_GCS=${_REMOTE_CACHE_GCS_}
-      - KEY=${_KMS_VAL}
       - KEYLESS=keyless@${PROJECT_ID}.iam.gserviceaccount.com
     entrypoint: bash
     args: [".cloudbuild/release.sh"]
diff --git a/.cloudbuild/release.sh b/.cloudbuild/release.sh
@@ -21,4 +21,4 @@ echo "common --announce_rc" >> ~/.bazelrc
 for i in $(seq 5); do 
     bazel cquery 'kind(merge_providers, deps(kind(oci_image, ...)))' --output=label --config=release && break || sleep 20;
 done
-bazel run :sign_and_push --config=release -- --key $KEY --keyless $KEYLESS
+bazel run :sign_and_push --config=release -- --keyless $KEYLESS
diff --git a/README.md b/README.md
@@ -64,16 +64,18 @@ Any other tags are considered deprecated and are no longer updated
 All distroless images are signed by [cosign](https://github.com/sigstore/cosign).
 We recommend verifying any distroless image you use before building your image.
 
-#### Keyless (recommended)
-Distroless images are signed with cosign in keyless mode.  You can verify the keyless signature of any distroless image with:
+#### Keyless
+Distroless images are signed with cosign in keyless mode, this is the only supported mechanism starting November 2023.  You can verify the keyless signature of any distroless image with:
 
 ```
 cosign verify $IMAGE_NAME --certificate-oidc-issuer https://accounts.google.com  --certificate-identity [email protected]
 ```
 
-#### Key (no tlog, deprecated, EOL Sept 2023)
+#### Key (DEPRECATED)
 Verifying using the distroless keys is deprecated in favor of keyless. These signing events are not uploaded to the transparency log. You can use the [distroless public key](cosign.pub) to verify any distroless image with:
 
+Images built after November 2023 will not be verifyable with `cosign.pub`, use keyless signature verification
+
 ```
 cat cosign.pub
 -----BEGIN PUBLIC KEY-----

diff --git a/private/oci/sign_and_push.bzl b/private/oci/sign_and_push.bzl
@@ -12,13 +12,10 @@ tag="$(stamp "{TAG}")"
 "$(realpath {PUSH_CMD})" --repository "$repository"
 
 # Attest the sbom
-[[ -n $KEYLESS ]] && GOOGLE_SERVICE_ACCOUNT_NAME="$KEYLESS" "$(realpath {ATTEST_CMD})" --repository "$repository" --yes
+GOOGLE_SERVICE_ACCOUNT_NAME="$KEYLESS" "$(realpath {ATTEST_CMD})" --repository "$repository" --yes
 
 # Sign keyless by using an identity
-[[ -n $KEYLESS ]] && GOOGLE_SERVICE_ACCOUNT_NAME="$KEYLESS" "$(realpath {SIGN_CMD})" --repository "$repository" --yes
-
-# Sign the image
-"$(realpath {SIGN_CMD})" --repository "$repository" --key "$KEY" --tlog-upload=false
+GOOGLE_SERVICE_ACCOUNT_NAME="$KEYLESS" "$(realpath {SIGN_CMD})" --repository "$repository" --yes
 
 # Tag the image
 "$(realpath {PUSH_CMD})" --repository "$repository" --tag "$tag"

diff --git a/private/oci/sign_and_push.sh.tpl b/private/oci/sign_and_push.sh.tpl
@@ -1,16 +1,11 @@
 #!/usr/bin/env bash
 set -o pipefail -o errexit -o nounset
 
-KEY="${KEY:-}"
 KEYLESS="${KEYLESS:-}"
 EXPORT=""
 
 while (( $# > 0 )); do
   case $1 in
-    (--key)
-      KEY="$2"
-      shift
-      shift;;
     (--keyless)
       KEYLESS="$2"
       shift
@@ -26,8 +21,8 @@ while (( $# > 0 )); do
   esac
 done
 
-if [ -z $KEY ]; then
-  echo "--key flag or KEY environment variable must be provided"
+if [ -z $KEYLESS ]; then
+  echo "--keyless flag or KEYLESS environment variable must be provided"
   exit 1
 fi
 
@@ -51,4 +46,4 @@ function stamp() {
 
 echo ""
 echo "👌 Finished pushing & signing"
-echo ""
+echo ""