From 42664cf057f94deba410dc739e0a73a43efdc19a Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Mon, 16 Dec 2024 11:08:40 +0100 Subject: [PATCH 01/10] add signing to action --- .github/workflows/ci.yml | 18 +++++++++++++++--- ...> publish-latest-dev-release-to-github.yml} | 0 2 files changed, 15 insertions(+), 3 deletions(-) rename .github/workflows/{publish-latest-dev-release-to-pypi.yml => publish-latest-dev-release-to-github.yml} (100%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d60e4a0d..7f451d91b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -126,7 +126,7 @@ jobs: - name: Ensure logprep is available in image run: | docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version - + # This step will build the image again, but every layer will already be cached, so it is nearly instantaneous. - name: Push image uses: docker/build-push-action@v5 @@ -138,7 +138,7 @@ jobs: PYTHON_VERSION=${{ matrix.python-version }} tags: | ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} - + # To avoid the trivy-db becoming outdated, we save the cache for one day - name: Get date id: date @@ -151,7 +151,7 @@ jobs: key: trivy-cache-${{ steps.date.outputs.date }} restore-keys: trivy-cache- - + - name: Scan image using Trivy uses: aquasecurity/trivy-action@0.24.0 env: @@ -166,3 +166,15 @@ jobs: # So we need to change the permissions before caching the database. - name: Change permissions for trivy.db run: sudo chmod 0644 ./cache/db/trivy.db + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Sign image with a key + run: | + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} diff --git a/.github/workflows/publish-latest-dev-release-to-pypi.yml b/.github/workflows/publish-latest-dev-release-to-github.yml similarity index 100% rename from .github/workflows/publish-latest-dev-release-to-pypi.yml rename to .github/workflows/publish-latest-dev-release-to-github.yml From 00fbb3e76937097bb7cf32cad30e19165159167f Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Mon, 16 Dec 2024 11:19:39 +0100 Subject: [PATCH 02/10] use digest --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7f451d91b..6101c8f95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -129,7 +129,8 @@ jobs: # This step will build the image again, but every layer will already be cached, so it is nearly instantaneous. - name: Push image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 + id: build-and-push with: context: . push: true @@ -174,7 +175,8 @@ jobs: - name: Sign image with a key run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@{{ DIGEST }} env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} From 5fecf3dd43d2cc92cef921b344033167bc752a8b Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Mon, 16 Dec 2024 11:23:24 +0100 Subject: [PATCH 03/10] fix digest ref --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6101c8f95..291667370 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -175,7 +175,7 @@ jobs: - name: Sign image with a key run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@{{ DIGEST }} + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ DIGEST }} env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} From a579ceeea23629067597fcde25023f9648f5510c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Zimmermann?= Date: Mon, 16 Dec 2024 11:28:08 +0100 Subject: [PATCH 04/10] add cosign pub key --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 10b4fd2ed..2f7220db5 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,15 @@ ![GitHub Repo stars](https://img.shields.io/github/stars/fkie-cad/logprep?style=social) +## validating the image + +``` +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgkQXDi/N4TDFE2Ao0pulOFfbGm5g +kVtARE+LJfSFI25BanOG9jaxxRGVt+Sa1KtQbMcy7Glxu0s7XgD9VFGjTA== +-----END PUBLIC KEY----- +``` + ## Introduction Logprep allows to collect, process and forward log messages from various data sources. From 0f695573a469f5a4a3781028e99b031e4b9dbf00 Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Mon, 16 Dec 2024 11:31:15 +0100 Subject: [PATCH 05/10] fix digest ref --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 291667370..6c2569eeb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -175,7 +175,7 @@ jobs: - name: Sign image with a key run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${{ DIGEST }} + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${ DIGEST } env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} From e85b82943b30164e61bd1664b3903bec1b55670c Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Mon, 16 Dec 2024 11:38:44 +0100 Subject: [PATCH 06/10] fix digest ref --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6c2569eeb..081dd2008 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -175,7 +175,7 @@ jobs: - name: Sign image with a key run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${ DIGEST } + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} From 949ddaee48c4d0da0c8190b057806d7b61722a2c Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Mon, 16 Dec 2024 11:45:16 +0100 Subject: [PATCH 07/10] add key to README.md --- README.md | 60 ++++++++++++++++++++++++------------------------------- 1 file changed, 26 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index 2f7220db5..2f3dbe759 100644 --- a/README.md +++ b/README.md @@ -11,15 +11,6 @@ ![GitHub Repo stars](https://img.shields.io/github/stars/fkie-cad/logprep?style=social) -## validating the image - -``` ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgkQXDi/N4TDFE2Ao0pulOFfbGm5g -kVtARE+LJfSFI25BanOG9jaxxRGVt+Sa1KtQbMcy7Glxu0s7XgD9VFGjTA== ------END PUBLIC KEY----- -``` - ## Introduction Logprep allows to collect, process and forward log messages from various data sources. @@ -35,18 +26,15 @@ message is sent to a configured output connector. Logprep is primarily designed to process log messages. Generally, Logprep can handle JSON messages, allowing further applications besides log handling. -This readme provides basic information about the following topics: -- [About Logprep](#about-logprep) -- [Getting Started](https://logprep.readthedocs.io/en/latest/getting_started.html) +- [About Logprep](https://github.com/fkie-cad/Logprep/blob/main/README.md#about-logprep) +- [Installation](https://logprep.readthedocs.io/en/latest/installation.html) - [Deployment Examples](https://logprep.readthedocs.io/en/latest/examples/index.html) - [Event Generation](https://logprep.readthedocs.io/en/latest/user_manual/execution.html#event-generation) - [Documentation](https://logprep.readthedocs.io/en/latest) -- [Contributing](CONTRIBUTING) -- [License](LICENSE) -- [Changelog](CHANGELOG.md) - -More detailed information can be found in the -[Documentation](https://logprep.readthedocs.io/en/latest/). +- [Container signatures](https://github.com/fkie-cad/Logprep/blob/main/README.md#container-signatures) +- [Contributing](https://github.com/fkie-cad/Logprep/blob/main/CONTRIBUTING.md) +- [License](https://github.com/fkie-cad/Logprep/blob/main/LICENSE) +- [Changelog](https://github.com/fkie-cad/Logprep/blob/main/CHANGELOG.md) ## About Logprep @@ -239,22 +227,6 @@ If it does exist then the dropper would delete this field from the log message. Details about the rule language and how to write rules for the processors can be found in the [rule configuration documentation](https://logprep.readthedocs.io/en/latest/configuration/rules.html). -## Getting Started - -For installation instructions see: https://logprep.readthedocs.io/en/latest/installation.html -For execution instructions see: https://logprep.readthedocs.io/en/latest/user_manual/execution.html - -### Reload the Configuration - -A `config_refresh_interval` can be set to periodically and automatically refresh the given configuration. -This can be useful in case of containerized environments (such as Kubernetes), when pod volumes often change -on the fly. - -If the configuration does not pass a consistency check, then an error message is logged and -Logprep keeps running with the previous configuration. -The configuration should be then checked and corrected on the basis of the error message. - - ## Documentation The documentation for Logprep is online at https://logprep.readthedocs.io/en/latest/ or it can @@ -268,3 +240,23 @@ make html ``` A HTML documentation can be then found in `doc/_build/html/index.html`. + +## Container signatures + +From release 15 on, Logprep containers are signed using the cosign tool. +Logprep currently does not use the keyless signing and the transparency log. +To verify the container, you can copy the following public key into a file +`logprep.pub`: + +``` +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgkQXDi/N4TDFE2Ao0pulOFfbGm5g +kVtARE+LJfSFI25BanOG9jaxxRGVt+Sa1KtQbMcy7Glxu0s7XgD9VFGjTA== +-----END PUBLIC KEY----- +``` + +And use it to verify the signature: + +``` +cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:3.11-latest --insecure-ignore-tlog=true +``` From 6b3ab457926445f362d8e83c8d3531b1a48a41a9 Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Mon, 16 Dec 2024 11:52:12 +0100 Subject: [PATCH 08/10] update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 2f3dbe759..67d9ae108 100644 --- a/README.md +++ b/README.md @@ -244,7 +244,6 @@ A HTML documentation can be then found in `doc/_build/html/index.html`. ## Container signatures From release 15 on, Logprep containers are signed using the cosign tool. -Logprep currently does not use the keyless signing and the transparency log. To verify the container, you can copy the following public key into a file `logprep.pub`: @@ -258,5 +257,5 @@ kVtARE+LJfSFI25BanOG9jaxxRGVt+Sa1KtQbMcy7Glxu0s7XgD9VFGjTA== And use it to verify the signature: ``` -cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:3.11-latest --insecure-ignore-tlog=true +cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:3.11-latest ``` From 7fb224dfa305a2edc07dc8d9e5fd4e04b85c9e22 Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Tue, 17 Dec 2024 09:26:50 +0100 Subject: [PATCH 09/10] add cosign to release --- .github/workflows/publish-release-to-pypi.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/publish-release-to-pypi.yml b/.github/workflows/publish-release-to-pypi.yml index a9a9d46af..878408596 100644 --- a/.github/workflows/publish-release-to-pypi.yml +++ b/.github/workflows/publish-release-to-pypi.yml @@ -90,3 +90,16 @@ jobs: ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.ref_name }} ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-stable ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-latest + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Sign image with a key + run: | + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST} + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} From aa5a280c4596eb605aa798c00527255a238690bf Mon Sep 17 00:00:00 2001 From: dtrai2 Date: Tue, 17 Dec 2024 09:28:14 +0100 Subject: [PATCH 10/10] add CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a3ef4057..72ea1f9b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ the list is now fixed inside the packaged logprep * remove `tldextract` dependency * remove `urlextract` dependency * fix wrong documentation for `timestamp_differ` +* add container signatures to image build inside ci pipeline ### Bugfix