Skip to content

feat: Verify upstream image #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Venefilyn wants to merge 1 commit into
base: main
Choose a base branch
from
+21 −4
Open

feat: Verify upstream image #102

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 21 additions & 4 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,27 @@ jobs:
sep-tags: " "
sep-annotations: " "

- name: Install Cosign
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)

# With cosign we can verify the authenticity of the upstream image.
# This is highly recommended to ensure the upstream wasn't tampered with.
# This can fail through a key mismatch or upstream image not being signed.
#
# We find the upstream image by checking the 'FROM' field.
- name: Verify upstream container image
Copy link
Copy Markdown
Member

@m2Giles m2Giles Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hesitating to do this in the workflow.

If we are doing this in the workflow, we could reuse our cosign verify action that RJ made. https://github.com/EyeCantCU/cosign-action/blob/main/verify/action.yml

That said, it hasn't been updated in months.

Copy link
Copy Markdown
Contributor Author

@Venefilyn Venefilyn Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like we could make this owned by the org or some org at least to reduce bus factor. Can check with the repo maintainer maybe?

Copy link
Copy Markdown
Contributor

@castrojo castrojo Jun 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can put this in the org but someone should check to see if this should live in the sigstore space? Surely we can't be the only one who needs this? cc @EyeCantCU

Copy link
Copy Markdown

@EyeCantCU EyeCantCU Jun 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey all. The actions there are still up to date and leverage the latest version of cosign. There hasn't been much of a reason to expand on what's there. I'll check in with folks at sigstore and see if they want to host these actions in their org. If not, we can move them in org

Copy link
Copy Markdown
Contributor Author

@Venefilyn Venefilyn Jun 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks @EyeCantCU! Would reduce bus factor for sure :D

Copy link
Copy Markdown

@rugk rugk Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any news here @EyeCantCU? Think this PR here sounds worthwhile.

if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
shell: bash
run: |
set -oue pipefail
echo "Get upstream image tag"
image=$(grep -i '^FROM.*:\S*' "./Containerfile" | awk '{print $2}')
echo "Using Cosign to verify image"
cosign verify \
--key https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub \
"${image}"

- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
Expand Down Expand Up @@ -165,10 +186,6 @@ jobs:
# your project for others to consume. You will need to create a public and private key
# using Cosign and save the private key as a repository secret in Github for this workflow
# to consume. For more details, review the image signing section of the README.
- name: Install Cosign
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)

- name: Sign container image
if: github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
run: |
Expand Down