Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Document the verification of attestations produced from private GitHub repositories #1435

Open
EtienneDufresne opened this issue Nov 12, 2024 · 1 comment
Open

[Enhancement] Document the verification of attestations produced from private GitHub repositories #1435

EtienneDufresne opened this issue Nov 12, 2024 · 1 comment
Assignees
@vishal-chdhry
Labels
enhancement New feature or request

Comments

@EtienneDufresne
Copy link

EtienneDufresne commented Nov 12, 2024
edited
Loading

Description

The verifying sigstore bundles section of the documentation is specific to public GitHub repositories where the official Sigstore instance is used.

If the attestation is produced from a private GitHub repo (and for a private artifact), the GitHub Sigstore instance is used and there are no transparency logs as stated here.

For kyverno to be able to verify such attestations, its helm values.yaml must have this override:

features:
  tuf:
    enabled: true
    mirror: https://tuf-repo.github.com
    rootRaw: <set to https://github.com/github/artifact-attestations-helm-charts/blob/main/charts/trust-policies/templates/trustroot-github.yaml#L8-L9>

In the ClusterPolicy, the attestation keyless attestor entry's rekor value must be updated to point to the GitHub Signstore Fulcio instance and set to ignore the transparency logs:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
  name: sigstore-attestation-verification
spec:
  background: false
  validationFailureAction: Enforce
  webhookTimeoutSeconds: 30
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: sigstore-attestation-verification
    verifyImages:
    - imageReferences:
      - "*"
      type: SigstoreBundle
      attestations:
      - attestors:
        - entries:
          - keyless:
              issuer: https://token.actions.githubusercontent.com
              subject: https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main
              rekor:
                ignoreTlog: true
                url: https://fulcio.githubapp.com
        conditions:
        - all:
          - key: '{{ buildDefinition.buildType }}'
            operator: Equals
            value: https://actions.github.io/buildtypes/workflow/v1
        type: https://slsa.dev/provenance/v1

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1720769654925739
@EtienneDufresne EtienneDufresne added the enhancement New feature or request label Nov 12, 2024
@welcome Welcome
Copy link

welcome bot commented Nov 12, 2024

Thanks for opening your first issue here! Be sure to follow the issue template!

@EtienneDufresne EtienneDufresne mentioned this issue Nov 18, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vishal-chdhry vishal-chdhry

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EtienneDufresne @vishal-chdhry