diff --git a/.cloudbuild/cloudbuild.yaml b/.cloudbuild/cloudbuild.yaml index 45f069f35..120cb3e2f 100644 --- a/.cloudbuild/cloudbuild.yaml +++ b/.cloudbuild/cloudbuild.yaml @@ -16,7 +16,6 @@ steps: - COMMIT_SHA=${COMMIT_SHA} - REGISTRY=gcr.io - REMOTE_CACHE_GCS=${_REMOTE_CACHE_GCS_} - - KEY=${_KMS_VAL} - KEYLESS=keyless@${PROJECT_ID}.iam.gserviceaccount.com entrypoint: bash args: [".cloudbuild/release.sh"] diff --git a/.cloudbuild/release.sh b/.cloudbuild/release.sh index 48bcdfa94..b734e6fe8 100644 --- a/.cloudbuild/release.sh +++ b/.cloudbuild/release.sh @@ -21,4 +21,4 @@ echo "common --announce_rc" >> ~/.bazelrc for i in $(seq 5); do bazel cquery 'kind(merge_providers, deps(kind(oci_image, ...)))' --output=label --config=release && break || sleep 20; done -bazel run :sign_and_push --config=release -- --key $KEY --keyless $KEYLESS +bazel run :sign_and_push --config=release -- --keyless $KEYLESS diff --git a/README.md b/README.md index 42496ee33..40f79c58f 100644 --- a/README.md +++ b/README.md @@ -64,16 +64,18 @@ Any other tags are considered deprecated and are no longer updated All distroless images are signed by [cosign](https://github.com/sigstore/cosign). We recommend verifying any distroless image you use before building your image. -#### Keyless (recommended) -Distroless images are signed with cosign in keyless mode. You can verify the keyless signature of any distroless image with: +#### Keyless +Distroless images are signed with cosign in keyless mode, this is the only supported mechanism starting November 2023. You can verify the keyless signature of any distroless image with: ``` cosign verify $IMAGE_NAME --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@distroless.iam.gserviceaccount.com ``` -#### Key (no tlog, deprecated, EOL Sept 2023) +#### Key (DEPRECATED) Verifying using the distroless keys is deprecated in favor of keyless. These signing events are not uploaded to the transparency log. You can use the [distroless public key](cosign.pub) to verify any distroless image with: +Images built after November 2023 will not be verifyable with `cosign.pub`, use keyless signature verification + ``` cat cosign.pub -----BEGIN PUBLIC KEY----- diff --git a/private/oci/sign_and_push.bzl b/private/oci/sign_and_push.bzl index 587256086..443d83728 100644 --- a/private/oci/sign_and_push.bzl +++ b/private/oci/sign_and_push.bzl @@ -12,13 +12,10 @@ tag="$(stamp "{TAG}")" "$(realpath {PUSH_CMD})" --repository "$repository" # Attest the sbom -[[ -n $KEYLESS ]] && GOOGLE_SERVICE_ACCOUNT_NAME="$KEYLESS" "$(realpath {ATTEST_CMD})" --repository "$repository" --yes +GOOGLE_SERVICE_ACCOUNT_NAME="$KEYLESS" "$(realpath {ATTEST_CMD})" --repository "$repository" --yes # Sign keyless by using an identity -[[ -n $KEYLESS ]] && GOOGLE_SERVICE_ACCOUNT_NAME="$KEYLESS" "$(realpath {SIGN_CMD})" --repository "$repository" --yes - -# Sign the image -"$(realpath {SIGN_CMD})" --repository "$repository" --key "$KEY" --tlog-upload=false +GOOGLE_SERVICE_ACCOUNT_NAME="$KEYLESS" "$(realpath {SIGN_CMD})" --repository "$repository" --yes # Tag the image "$(realpath {PUSH_CMD})" --repository "$repository" --tag "$tag" diff --git a/private/oci/sign_and_push.sh.tpl b/private/oci/sign_and_push.sh.tpl index fca0e23b3..49aeb5cfb 100644 --- a/private/oci/sign_and_push.sh.tpl +++ b/private/oci/sign_and_push.sh.tpl @@ -1,16 +1,11 @@ #!/usr/bin/env bash set -o pipefail -o errexit -o nounset -KEY="${KEY:-}" KEYLESS="${KEYLESS:-}" EXPORT="" while (( $# > 0 )); do case $1 in - (--key) - KEY="$2" - shift - shift;; (--keyless) KEYLESS="$2" shift @@ -26,8 +21,8 @@ while (( $# > 0 )); do esac done -if [ -z $KEY ]; then - echo "--key flag or KEY environment variable must be provided" +if [ -z $KEYLESS ]; then + echo "--keyless flag or KEYLESS environment variable must be provided" exit 1 fi @@ -51,4 +46,4 @@ function stamp() { echo "" echo "👌 Finished pushing & signing" -echo "" \ No newline at end of file +echo ""