Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add signing to action #729

Merged
merged 10 commits into from
Dec 17, 2024
Merged
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 18 additions & 4 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -126,10 +126,11 @@ jobs:
- name: Ensure logprep is available in image
run: |
docker run --rm ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }} --version

# This step will build the image again, but every layer will already be cached, so it is nearly instantaneous.
- name: Push image
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
id: build-and-push
with:
context: .
push: true
@@ -138,7 +139,7 @@ jobs:
PYTHON_VERSION=${{ matrix.python-version }}
tags: |
ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}

# To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get date
id: date
@@ -151,7 +152,7 @@ jobs:
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-

- name: Scan image using Trivy
uses: aquasecurity/[email protected]
env:
@@ -166,3 +167,16 @@ jobs:
# So we need to change the permissions before caching the database.
- name: Change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db

- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.4.1'

- name: Sign image with a key
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ghcr.io/fkie-cad/logprep:py${{ matrix.python-version }}-${{ github.head_ref }}@${DIGEST}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
50 changes: 25 additions & 25 deletions README.md
Original file line number Diff line number Diff line change
@@ -26,18 +26,15 @@ message is sent to a configured output connector.
Logprep is primarily designed to process log messages. Generally, Logprep can handle JSON messages,
allowing further applications besides log handling.

This readme provides basic information about the following topics:
- [About Logprep](#about-logprep)
- [Getting Started](https://logprep.readthedocs.io/en/latest/getting_started.html)
- [About Logprep](https://github.com/fkie-cad/Logprep/blob/main/README.md#about-logprep)
- [Installation](https://logprep.readthedocs.io/en/latest/installation.html)
- [Deployment Examples](https://logprep.readthedocs.io/en/latest/examples/index.html)
- [Event Generation](https://logprep.readthedocs.io/en/latest/user_manual/execution.html#event-generation)
- [Documentation](https://logprep.readthedocs.io/en/latest)
- [Contributing](CONTRIBUTING)
- [License](LICENSE)
- [Changelog](CHANGELOG.md)

More detailed information can be found in the
[Documentation](https://logprep.readthedocs.io/en/latest/).
- [Container signatures](https://github.com/fkie-cad/Logprep/blob/main/README.md#container-signatures)
- [Contributing](https://github.com/fkie-cad/Logprep/blob/main/CONTRIBUTING.md)
- [License](https://github.com/fkie-cad/Logprep/blob/main/LICENSE)
- [Changelog](https://github.com/fkie-cad/Logprep/blob/main/CHANGELOG.md)

## About Logprep

@@ -230,22 +227,6 @@ If it does exist then the dropper would delete this field from the log message.
Details about the rule language and how to write rules for the processors can be found in the
[rule configuration documentation](https://logprep.readthedocs.io/en/latest/configuration/rules.html).

## Getting Started

For installation instructions see: https://logprep.readthedocs.io/en/latest/installation.html
For execution instructions see: https://logprep.readthedocs.io/en/latest/user_manual/execution.html

### Reload the Configuration

A `config_refresh_interval` can be set to periodically and automatically refresh the given configuration.
This can be useful in case of containerized environments (such as Kubernetes), when pod volumes often change
on the fly.

If the configuration does not pass a consistency check, then an error message is logged and
Logprep keeps running with the previous configuration.
The configuration should be then checked and corrected on the basis of the error message.


## Documentation

The documentation for Logprep is online at https://logprep.readthedocs.io/en/latest/ or it can
@@ -259,3 +240,22 @@ make html
```

A HTML documentation can be then found in `doc/_build/html/index.html`.

## Container signatures

From release 15 on, Logprep containers are signed using the cosign tool.
To verify the container, you can copy the following public key into a file
`logprep.pub`:

```
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgkQXDi/N4TDFE2Ao0pulOFfbGm5g
kVtARE+LJfSFI25BanOG9jaxxRGVt+Sa1KtQbMcy7Glxu0s7XgD9VFGjTA==
-----END PUBLIC KEY-----
```

And use it to verify the signature:

```
cosign verify --key logprep.pub ghcr.io/fkie-cad/logprep:3.11-latest
```