Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft implementation of sigstore for alpine images #983

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

sspans-sbp
Copy link
Contributor

All supported python releases now have associated sigstore files available.

This enables sigstore verification in the alpine images using cosign.
Unfortunately cosign 2.4+ is required which is only available in edge, package seems to work fine on 3.19/3.20.

Cosign is removed once the build completes.

@tianon
Copy link
Member

tianon commented Oct 18, 2024

Thank you for working on this! Unfortunately, mixing Alpine releases with packages from Edge is going to be something we're not comfortable with -- it often works, but it also often breaks, and the transition between those is usually unexpected and without warning, so we avoid using Edge entirely as a result. 😞

@sspans
Copy link

sspans commented Oct 18, 2024

Totally understandable and exactly why I marked this as a draft.
And this independently verified your points mentioned in #977.

However a068d81 is probably worth merging.

@tianon
Copy link
Member

tianon commented Oct 18, 2024

However a068d81 is probably worth merging.

Can you elaborate? I left that in when I made #978 because I'd already done the work and it does work, so even if unused, it should be harmless (and I'm still not totally convinced extracting the SHA256 from the sigstore bundles is a great solution to simply getting checksums). It also gives us a fallback if the sigstore bundles happen to start using a different hash type (although I don't think that's actually a very likely scenario right now).

I'd actually love to improve our confidence in my really hacky extraction of the signature from the sigstore bundles by cross-referencing the SBOM explicitly, but I'd prefer even more to have officially published upstream checksums in a form that's intended for consumption (and then I'd remove both means of scraping a checksum from other data sources).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants