Are these the correct 'release' containers for log_[signer,server]?

[vaikas]

Hey there, in Sigstore we use Trillian and we were wondering if these are the correct locations where the released containers go (there were questions, since they were under trillian-opensource-ci)?

https://console.cloud.google.com/gcr/images/trillian-opensource-ci/GLOBAL/log_server
https://console.cloud.google.com/gcr/images/trillian-opensource-ci/GLOBAL/log_signer

Also, would it be possible to add signatures for them (or if they already are, pointer to it) so that we can verify they were indeed generated by the trusted releases.

[cpanato]

To sign the image releases using Cloudbuild we will need to define from where the signing key will come, if will be from a generated one using cosign or if we will use a keyless approach, and then for that, we will need to have a service account with the creator token role.

I prefer the second option, but then we will need some one from google with the Trillian GCP project access to create it.

I can work on the Cloudbuild update to support that.

[JAORMX]

@AlCutter could you take a look at this?

[AlCutter]

Hi all, these images weren't really intended to be "release" images, they were more just for use in our CI environment which happened to also provide an easy way for folks to bring up a local instance for playing around with.

I guess doing "proper" signed release images is something we could look into, but we'd have to schedule that into our planning cycle.

[cpanato]

@AlCutter let me know where i can help! will be glad to do

[haydentherapper]

@mhutchinson A related issue to what we chatted about. It would be helpful to log deployers if they could use a canonical image rather than maintain their own.

Another alternative to Cloud Build would be using Goreleaser in a GitHub Actions workflow to cut and release containers. We've done this for some of the Sigstore projects, which will build both binaries and containers. Also it would be straightforward to sign the container with Cosign or generate provenance too.