Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add multi arch docker images #120

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add multi arch docker images #120

wants to merge 6 commits into from

Conversation

marcofranssen
Copy link
Member

@marcofranssen marcofranssen commented Jan 13, 2022

This still needs verification when building a release. This was failing on the signing PR so separated this into a new PR to debug this part.

resolves #107
resolves #68

As we are only providing the image digest it seems the provenance is only attached to the image tags. v0.5.2-draft-amd64 and v0.5.2-draft-arm64v8.

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft-amd64

Verification for ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft-amd64 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"payloadType":"https://slsa.dev/provenance/v0.2","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UiLCJkaWdlc3QiOnsic2hhMjU2IjoiNWQ2NzRkZTEyYzY4MzBhMzNjYTFiMWZlNzk2NDQ2OGVlOThhMWJkZGUyNjI4NDRlNzY5Nzg5N2JmOGU1YjljNyJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uL0F0dGVzdGF0aW9ucy9HaXRIdWJIb3N0ZWRBY3Rpb25zQHYxIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViQWN0aW9uc1dvcmtmbG93QHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWFjdGlvbiIsImRpZ2VzdCI6eyJzaGExIjoiOTA1OWZjMTJmZGYwMzJiYmZlMjQ1NmM0NGVmYTY3NDA3NTU5ZTY2ZiJ9LCJlbnRyeVBvaW50IjoiQ29udGludW91cyBpbnRlZ3JhdGlvbiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiJodHRwczovL2dpdGh1Yi5jb20vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1hY3Rpb24vYWN0aW9ucy9ydW5zLzE3MjMzNTU5ODciLCJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTAxLTIwVDEyOjQxOjMwWiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uIiwiZGlnZXN0Ijp7InNoYTEiOiI5MDU5ZmMxMmZkZjAzMmJiZmUyNDU2YzQ0ZWZhNjc0MDc1NTllNjZmIn19XX19","signatures":[{"keyid":"","sig":"MEYCIQCmxI/5im45L0JsKs4MLz8/GwRyxkqKUF7u/7HixZz7yAIhANZLF/YdhCq0tNezBitf0McSfpfgtLpLAoY8/wWn+e9K"}]}

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft      
Error: no matching attestations:

main.go:46: error during command execution: no matching attestations:

So for the manifest tags v0.5.2-draft and the commit-hash we do not have the provenance as those tags are on the manifests.
It looks like there is another RepoDigest when pulling these images by manifest tags. See below the Digest for the amd64 platform. Not sure how this will be for the arm64v8.

$ docker manifest inspect ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft      
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 1159,
         "digest": "sha256:5d674de12c6830a33ca1b1fe7964468ee98a1bdde262844e7697897bf8e5b9c7",
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 1159,
         "digest": "sha256:9a12783d47e0b03a0ad7cf996eb4d5f36627b1e073c832a6aa9a94b5fb5c182c",
         "platform": {
            "architecture": "arm64",
            "os": "linux"
         }
      }
   ]
}

Seems the digest for the pulled tag (in my case amd64 arch) is a different one as we have seen before.

$ docker inspect ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft                                 [
{
        "Id": "sha256:788f5d3ffed4f844e4288aae0d04fad8af5dc2e94e852019c166f2bb0a15a4f3",
        "RepoTags": [
            "ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft"
        ],
        "RepoDigests": [
            "ghcr.io/philips-labs/slsa-provenance@sha256:af08463f91a98c3f08083987dc1826eba302aeb110ae85b679a3859be2a25bea"
        ],
………………
…………………

@marcofranssen marcofranssen requested a review from a team as a code owner January 13, 2022 16:10
@codecov
Copy link

codecov bot commented Jan 13, 2022

Codecov Report

Merging #120 (3645ec0) into main (dddb40e) will not change coverage.
The diff coverage is n/a.

❗ Current head 3645ec0 differs from pull request most recent head 14513f0. Consider uploading reports for the commit 14513f0 to get more accurate results

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #120   +/-   ##
=======================================
  Coverage   77.54%   77.54%           
=======================================
  Files          15       15           
  Lines         610      610           
=======================================
  Hits          473      473           
  Misses         97       97           
  Partials       40       40           
Flag Coverage Δ
unittests 77.54% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.


Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dddb40e...14513f0. Read the comment docs.

@marcofranssen marcofranssen force-pushed the multi-arch-docker branch 5 times, most recently from eb07a18 to b8a7229 Compare January 14, 2022 15:36
JeroenKnoops
JeroenKnoops previously approved these changes Jan 14, 2022
@marcofranssen
Copy link
Member Author

Cut out a new release to test. Using cosign v1.5.1 all seems to work now for signatures:

$ cosign verify --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/philips-labs/slsa-provenance"},"image":{"docker-manifest-digest":"sha256:e5413487c74dd0f51d0b557d2000b70d860a24e8d172a77285194e27f7723a66"},"type":"cosign container image signature"},"optional":null}]

$ cosign verify --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/philips-labs/slsa-provenance"},"image":{"docker-manifest-digest":"sha256:d71d2952d9d0e68113994db321e3ef76ea33a346cb0f189f4740ba363de6c723"},"type":"cosign container image signature"},"optional":null}]

$ cosign verify --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8 

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/philips-labs/slsa-provenance"},"image":{"docker-manifest-digest":"sha256:5125a5d75a6974ae1a7a22db54f6efaadd044fb420ae8e5864af47ebe3126a25"},"type":"cosign container image signature"},"optional":null}]

Thanks @priyawadhwa

For provenance attestations we still need to have a look at the manifest. This currently does not have a provenance attestation linked to it. Something we still need to resolve in the ci pipeline most probably.

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft
Error: no matching attestations:

main.go:46: error during command execution: no matching attestations:

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UiLCJkaWdlc3QiOnsic2hhMjU2IjoiNTEyNWE1ZDc1YTY5NzRhZTFhN2EyMmRiNTRmNmVmYWFkZDA0NGZiNDIwYWU4ZTU4NjRhZjQ3ZWJlMzEyNmEyNSJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uL0F0dGVzdGF0aW9ucy9HaXRIdWJIb3N0ZWRBY3Rpb25zQHYxIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViQWN0aW9uc1dvcmtmbG93QHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWFjdGlvbiIsImRpZ2VzdCI6eyJzaGExIjoiZGRkNmMyZDYyOTI5ZTg3NjkyNjdkMDEzNjYyNTJkOTI2MDlkMWRiYiJ9LCJlbnRyeVBvaW50IjoiQ29udGludW91cyBpbnRlZ3JhdGlvbiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiJodHRwczovL2dpdGh1Yi5jb20vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1hY3Rpb24vYWN0aW9ucy9ydW5zLzE4NTg3ODA2MzIiLCJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTAyLTE3VDEzOjE5OjQ1WiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uIiwiZGlnZXN0Ijp7InNoYTEiOiJkZGQ2YzJkNjI5MjllODc2OTI2N2QwMTM2NjI1MmQ5MjYwOWQxZGJiIn19XX19","signatures":[{"keyid":"","sig":"MEYCIQCczjSW728jVPHZaQ0QhjHNKZWq85ExHyz/6aVLzZmRlQIhAJR6rt+IFlaRFFj33vcrlrOHKetu+l+she9zga0w7sUv"}]}

$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64 

Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UiLCJkaWdlc3QiOnsic2hhMjU2IjoiZDcxZDI5NTJkOWQwZTY4MTEzOTk0ZGIzMjFlM2VmNzZlYTMzYTM0NmNiMGYxODlmNDc0MGJhMzYzZGU2YzcyMyJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uL0F0dGVzdGF0aW9ucy9HaXRIdWJIb3N0ZWRBY3Rpb25zQHYxIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViQWN0aW9uc1dvcmtmbG93QHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWFjdGlvbiIsImRpZ2VzdCI6eyJzaGExIjoiZGRkNmMyZDYyOTI5ZTg3NjkyNjdkMDEzNjYyNTJkOTI2MDlkMWRiYiJ9LCJlbnRyeVBvaW50IjoiQ29udGludW91cyBpbnRlZ3JhdGlvbiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiJodHRwczovL2dpdGh1Yi5jb20vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1hY3Rpb24vYWN0aW9ucy9ydW5zLzE4NTg3ODA2MzIiLCJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTAyLTE3VDEzOjE5OjQ2WiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uIiwiZGlnZXN0Ijp7InNoYTEiOiJkZGQ2YzJkNjI5MjllODc2OTI2N2QwMTM2NjI1MmQ5MjYwOWQxZGJiIn19XX19","signatures":[{"keyid":"","sig":"MEYCIQDSgWuGXT24YA2aqJXt029RwIqNvAmCbwNt9c0fVhDHVAIhAOKoSBb4QGd7STfNb/gEIQFHr9ErG6bqSBYjfgzur3WR"}]}

marcofranssen and others added 6 commits February 18, 2022 11:56
Co-authored-by: Brend Smits <[email protected]>
Signed-off-by: Marco Franssen <[email protected]>
Signed-off-by: Brend Smits <[email protected]>
Signed-off-by: Marco Franssen <[email protected]>
Signed-off-by: Marco Franssen <[email protected]>
Co-authored-by: Brend Smits <[email protected]>
Signed-off-by: Marco Franssen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Target multi platform docker images Multi architecture docker images
3 participants