feat: Verify upstream image by Venefilyn · Pull Request #102 · ublue-os/image-template

Venefilyn · 2025-05-05T15:05:31Z

If the upstream image is tampered with we should automatically fail the
image build and prevent any futher security breaches.

This is not foolproof as the implementation grabs the public key from a
git repository instead of locally, but it will ensure that the key from
the git repository did sign the image.

Fixes: #25
Co-authored-by: XLion xlion@xlion.tw
Signed-off-by: Freya Gustavsson freya@venefilyn.se

If the upstream image is tampered with we should automatically fail the image build and prevent any futher security breaches. This is not foolproof as the implementation grabs the public key from a git repository instead of locally, but it will ensure that the key from the git repository did sign the image. Fixes: ublue-os#25 Co-authored-by: XLion <xlion@xlion.tw> Signed-off-by: Freya Gustavsson <freya@venefilyn.se>

m2Giles · 2025-06-09T01:38:01Z

.github/workflows/build.yml

+      # This can fail through a key mismatch or upstream image not being signed.
+      #
+      # We find the upstream image by checking the 'FROM' field.
+      - name: Verify upstream container image


I'm hesitating to do this in the workflow.

If we are doing this in the workflow, we could reuse our cosign verify action that RJ made. https://github.com/EyeCantCU/cosign-action/blob/main/verify/action.yml

That said, it hasn't been updated in months.

I feel like we could make this owned by the org or some org at least to reduce bus factor. Can check with the repo maintainer maybe?

We can put this in the org but someone should check to see if this should live in the sigstore space? Surely we can't be the only one who needs this? cc @EyeCantCU

Hey all. The actions there are still up to date and leverage the latest version of cosign. There hasn't been much of a reason to expand on what's there. I'll check in with folks at sigstore and see if they want to host these actions in their org. If not, we can move them in org

Awesome, thanks @EyeCantCU! Would reduce bus factor for sure :D

Any news here @EyeCantCU? Think this PR here sounds worthwhile.

rugk

This looks like a great idea, IMHO!

dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label May 5, 2025

Venefilyn force-pushed the feat/verify-upstream branch from 3f4e9f6 to a42a285 Compare May 5, 2025 15:07

dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. enhancement New feature or request and removed size:M This PR changes 30-99 lines, ignoring generated files. labels May 5, 2025

m2Giles reviewed Jun 9, 2025

View reviewed changes

rugk approved these changes Sep 2, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Verify upstream image#102

feat: Verify upstream image#102
Venefilyn wants to merge 1 commit intoublue-os:mainfrom
Venefilyn:feat/verify-upstream

Venefilyn commented May 5, 2025

Uh oh!

m2Giles Jun 9, 2025

Uh oh!

Venefilyn Jun 10, 2025

Uh oh!

castrojo Jun 13, 2025

Uh oh!

EyeCantCU Jun 18, 2025

Uh oh!

Venefilyn Jun 19, 2025

Uh oh!

rugk Feb 26, 2026

Uh oh!

rugk left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

Venefilyn commented May 5, 2025

Uh oh!

m2Giles Jun 9, 2025

Choose a reason for hiding this comment

Uh oh!

Venefilyn Jun 10, 2025

Choose a reason for hiding this comment

Uh oh!

castrojo Jun 13, 2025

Choose a reason for hiding this comment

Uh oh!

EyeCantCU Jun 18, 2025

Choose a reason for hiding this comment

Uh oh!

Venefilyn Jun 19, 2025

Choose a reason for hiding this comment

Uh oh!

rugk Feb 26, 2026

Choose a reason for hiding this comment

Uh oh!

rugk left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants