Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add multi arch docker images #120

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add multi arch docker images #120

wants to merge 6 commits into from

Conversation

marcofranssen
Copy link
Member

@marcofranssen marcofranssen commented Jan 13, 2022
edited
Loading

This still needs verification when building a release. This was failing on the signing PR so separated this into a new PR to debug this part.

resolves #107
resolves #68

As we are only providing the image digest it seems the provenance is only attached to the image tags. v0.5.2-draft-amd64 and v0.5.2-draft-arm64v8.

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft-amd64

Verification for ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft-amd64 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"payloadType":"https://slsa.dev/provenance/v0.2","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UiLCJkaWdlc3QiOnsic2hhMjU2IjoiNWQ2NzRkZTEyYzY4MzBhMzNjYTFiMWZlNzk2NDQ2OGVlOThhMWJkZGUyNjI4NDRlNzY5Nzg5N2JmOGU1YjljNyJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uL0F0dGVzdGF0aW9ucy9HaXRIdWJIb3N0ZWRBY3Rpb25zQHYxIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViQWN0aW9uc1dvcmtmbG93QHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWFjdGlvbiIsImRpZ2VzdCI6eyJzaGExIjoiOTA1OWZjMTJmZGYwMzJiYmZlMjQ1NmM0NGVmYTY3NDA3NTU5ZTY2ZiJ9LCJlbnRyeVBvaW50IjoiQ29udGludW91cyBpbnRlZ3JhdGlvbiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiJodHRwczovL2dpdGh1Yi5jb20vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1hY3Rpb24vYWN0aW9ucy9ydW5zLzE3MjMzNTU5ODciLCJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTAxLTIwVDEyOjQxOjMwWiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uIiwiZGlnZXN0Ijp7InNoYTEiOiI5MDU5ZmMxMmZkZjAzMmJiZmUyNDU2YzQ0ZWZhNjc0MDc1NTllNjZmIn19XX19","signatures":[{"keyid":"","sig":"MEYCIQCmxI/5im45L0JsKs4MLz8/GwRyxkqKUF7u/7HixZz7yAIhANZLF/YdhCq0tNezBitf0McSfpfgtLpLAoY8/wWn+e9K"}]}

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft      
Error: no matching attestations:

main.go:46: error during command execution: no matching attestations:

So for the manifest tags v0.5.2-draft and the commit-hash we do not have the provenance as those tags are on the manifests.
It looks like there is another RepoDigest when pulling these images by manifest tags. See below the Digest for the amd64 platform. Not sure how this will be for the arm64v8.

$ docker manifest inspect ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft      
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 1159,
         "digest": "sha256:5d674de12c6830a33ca1b1fe7964468ee98a1bdde262844e7697897bf8e5b9c7",
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 1159,
         "digest": "sha256:9a12783d47e0b03a0ad7cf996eb4d5f36627b1e073c832a6aa9a94b5fb5c182c",
         "platform": {
            "architecture": "arm64",
            "os": "linux"
         }
      }
   ]
}

Seems the digest for the pulled tag (in my case amd64 arch) is a different one as we have seen before.

$ docker inspect ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft                                 [
{
        "Id": "sha256:788f5d3ffed4f844e4288aae0d04fad8af5dc2e94e852019c166f2bb0a15a4f3",
        "RepoTags": [
            "ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft"
        ],
        "RepoDigests": [
            "ghcr.io/philips-labs/slsa-provenance@sha256:af08463f91a98c3f08083987dc1826eba302aeb110ae85b679a3859be2a25bea"
        ],
………………
…………………

@marcofranssen marcofranssen requested a review from a team as a code owner January 13, 2022 16:10
@codecov
Copy link

codecov bot commented Jan 13, 2022
edited
Loading

Codecov Report

Merging #120 (3645ec0) into main (dddb40e) will not change coverage.
The diff coverage is n/a.

❗ Current head 3645ec0 differs from pull request most recent head 14513f0. Consider uploading reports for the commit 14513f0 to get more accurate results

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #120   +/-   ##
=======================================
  Coverage   77.54%   77.54%           
=======================================
  Files          15       15           
  Lines         610      610           
=======================================
  Hits          473      473           
  Misses         97       97           
  Partials       40       40
Flag Coverage Δ
unittests 77.54% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dddb40e...14513f0. Read the comment docs.

@marcofranssen marcofranssen force-pushed the multi-arch-docker branch 5 times, most recently from eb07a18 to b8a7229 Compare January 14, 2022 15:36
JeroenKnoops
JeroenKnoops previously approved these changes Jan 14, 2022
View reviewed changes
@marcofranssen marcofranssen force-pushed the multi-arch-docker branch 11 times, most recently from 9059fc1 to 5f70311 Compare January 20, 2022 16:02
@marcofranssen
Copy link
Member Author

Cut out a new release to test. Using cosign v1.5.1 all seems to work now for signatures:

$ cosign verify --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/philips-labs/slsa-provenance"},"image":{"docker-manifest-digest":"sha256:e5413487c74dd0f51d0b557d2000b70d860a24e8d172a77285194e27f7723a66"},"type":"cosign container image signature"},"optional":null}]

$ cosign verify --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/philips-labs/slsa-provenance"},"image":{"docker-manifest-digest":"sha256:d71d2952d9d0e68113994db321e3ef76ea33a346cb0f189f4740ba363de6c723"},"type":"cosign container image signature"},"optional":null}]

$ cosign verify --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8 

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/philips-labs/slsa-provenance"},"image":{"docker-manifest-digest":"sha256:5125a5d75a6974ae1a7a22db54f6efaadd044fb420ae8e5864af47ebe3126a25"},"type":"cosign container image signature"},"optional":null}]

Thanks @priyawadhwa

For provenance attestations we still need to have a look at the manifest. This currently does not have a provenance attestation linked to it. Something we still need to resolve in the ci pipeline most probably.

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft
Error: no matching attestations:

main.go:46: error during command execution: no matching attestations:

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UiLCJkaWdlc3QiOnsic2hhMjU2IjoiNTEyNWE1ZDc1YTY5NzRhZTFhN2EyMmRiNTRmNmVmYWFkZDA0NGZiNDIwYWU4ZTU4NjRhZjQ3ZWJlMzEyNmEyNSJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uL0F0dGVzdGF0aW9ucy9HaXRIdWJIb3N0ZWRBY3Rpb25zQHYxIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViQWN0aW9uc1dvcmtmbG93QHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWFjdGlvbiIsImRpZ2VzdCI6eyJzaGExIjoiZGRkNmMyZDYyOTI5ZTg3NjkyNjdkMDEzNjYyNTJkOTI2MDlkMWRiYiJ9LCJlbnRyeVBvaW50IjoiQ29udGludW91cyBpbnRlZ3JhdGlvbiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiJodHRwczovL2dpdGh1Yi5jb20vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1hY3Rpb24vYWN0aW9ucy9ydW5zLzE4NTg3ODA2MzIiLCJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTAyLTE3VDEzOjE5OjQ1WiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uIiwiZGlnZXN0Ijp7InNoYTEiOiJkZGQ2YzJkNjI5MjllODc2OTI2N2QwMTM2NjI1MmQ5MjYwOWQxZGJiIn19XX19","signatures":[{"keyid":"","sig":"MEYCIQCczjSW728jVPHZaQ0QhjHNKZWq85ExHyz/6aVLzZmRlQIhAJR6rt+IFlaRFFj33vcrlrOHKetu+l+she9zga0w7sUv"}]}

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64 

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UiLCJkaWdlc3QiOnsic2hhMjU2IjoiZDcxZDI5NTJkOWQwZTY4MTEzOTk0ZGIzMjFlM2VmNzZlYTMzYTM0NmNiMGYxODlmNDc0MGJhMzYzZGU2YzcyMyJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uL0F0dGVzdGF0aW9ucy9HaXRIdWJIb3N0ZWRBY3Rpb25zQHYxIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViQWN0aW9uc1dvcmtmbG93QHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWFjdGlvbiIsImRpZ2VzdCI6eyJzaGExIjoiZGRkNmMyZDYyOTI5ZTg3NjkyNjdkMDEzNjYyNTJkOTI2MDlkMWRiYiJ9LCJlbnRyeVBvaW50IjoiQ29udGludW91cyBpbnRlZ3JhdGlvbiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiJodHRwczovL2dpdGh1Yi5jb20vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1hY3Rpb24vYWN0aW9ucy9ydW5zLzE4NTg3ODA2MzIiLCJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTAyLTE3VDEzOjE5OjQ2WiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uIiwiZGlnZXN0Ijp7InNoYTEiOiJkZGQ2YzJkNjI5MjllODc2OTI2N2QwMTM2NjI1MmQ5MjYwOWQxZGJiIn19XX19","signatures":[{"keyid":"","sig":"MEYCIQDSgWuGXT24YA2aqJXt029RwIqNvAmCbwNt9c0fVhDHVAIhAOKoSBb4QGd7STfNb/gEIQFHr9ErG6bqSBYjfgzur3WR"}]}

marcofranssen and others added 6 commits February 18, 2022 11:56
@marcofranssen @Brend-Smits
Add arm v8 version of containers
9b64d1d 
Co-authored-by: Brend Smits <[email protected]>
Signed-off-by: Marco Franssen <[email protected]>
@Brend-Smits @marcofranssen
Enable debugging of GoReleaser
6e3aa9a 
Signed-off-by: Brend Smits <[email protected]>
Signed-off-by: Marco Franssen <[email protected]>
@marcofranssen
debug goreleaser
d9397e1 
Signed-off-by: Marco Franssen <[email protected]>
@marcofranssen
Bump goreleaser to v1.3.1 in Makefile
eed8e86 
Signed-off-by: Marco Franssen <[email protected]>
@marcofranssen @Brend-Smits
Add task to makefile to retrieve manifest digests
d9e5a83 
Co-authored-by: Brend Smits <[email protected]>
Signed-off-by: Marco Franssen <[email protected]>
@marcofranssen
Update ci workflow for provenance on multi platform containers
14513f0 
Signed-off-by: Marco Franssen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JeroenKnoops JeroenKnoops JeroenKnoops left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Target multi platform docker images Multi architecture docker images
3 participants
@marcofranssen @JeroenKnoops @Brend-Smits