diff --git a/Makefile b/Makefile index d08453d9..185d4748 100644 --- a/Makefile +++ b/Makefile @@ -107,6 +107,7 @@ TARGETS += realtek-firmware TARGETS += revpi-firmware TARGETS += spin TARGETS += stargz-snapshotter +TARGETS += containerd-image-verifier-sigstore TARGETS += tailscale TARGETS += tenstorrent TARGETS += thunderbolt diff --git a/tools/containerd-image-verifier-sigstore/10-containerd-image-verifier.part b/tools/containerd-image-verifier-sigstore/10-containerd-image-verifier.part new file mode 100644 index 00000000..3165d31f --- /dev/null +++ b/tools/containerd-image-verifier-sigstore/10-containerd-image-verifier.part @@ -0,0 +1,5 @@ +[plugins] + [plugins."io.containerd.image-verifier.v1.bindir"] + bin_dir = "/usr/local/bin/containerd-image-verifier" + max_verifiers = 10 + per_verifier_timeout = "10s" diff --git a/tools/containerd-image-verifier-sigstore/README.md b/tools/containerd-image-verifier-sigstore/README.md new file mode 100644 index 00000000..9243d4e6 --- /dev/null +++ b/tools/containerd-image-verifier-sigstore/README.md @@ -0,0 +1,49 @@ +# containerd-image-verifier-sigstore extension + +## Installation + +See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions). + +## Usage + +```yaml +machine: + files: + - content: | + apiVersion: policy.sigstore.dev/v1alpha1 + kind: ClusterImagePolicy + metadata: + name: system + spec: + images: + - glob: "**" + authorities: + - keyless: + url: https://fulcio.sigstore.dev + identities: + - issuer: https://accounts.google.com + subject: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com + ctlog: + url: https://rekor.sigstore.dev + path: /usr/local/etc/containers/sigstore/kubernetes.yaml + permissions: 0600 + op: create + - content: | + apiVersion: policy.sigstore.dev/v1alpha1 + kind: ClusterImagePolicy + metadata: + name: system + spec: + images: + - glob: "**" + authorities: + - keyless: + identities: + - issuer: https://accounts.google.com + subjectRegExp: "@siderolabs\.com$" + path: /usr/local/etc/containers/sigstore/siderolabs.yaml + permissions: 0600 + op: create +``` + +**Important note: add all other identities and keys within the ClusterImagePolicy above for target container images** diff --git a/tools/containerd-image-verifier-sigstore/manifest.yaml b/tools/containerd-image-verifier-sigstore/manifest.yaml new file mode 100644 index 00000000..33a56d98 --- /dev/null +++ b/tools/containerd-image-verifier-sigstore/manifest.yaml @@ -0,0 +1,10 @@ +version: v1alpha1 +metadata: + name: containerd-image-verifier-sigstore + version: "$VERSION" + author: Caleb Woodbine + description: | + Verify images signed with Sigstore against ClusterImagePolicy declarations + compatibility: + talos: + version: ">= v1.9.0" diff --git a/tools/containerd-image-verifier-sigstore/pkg.yaml b/tools/containerd-image-verifier-sigstore/pkg.yaml new file mode 100644 index 00000000..e28e48fb --- /dev/null +++ b/tools/containerd-image-verifier-sigstore/pkg.yaml @@ -0,0 +1,75 @@ +name: containerd-image-verifier-sigstore +variant: scratch +shell: /bin/bash +dependencies: + - stage: base +steps: + - sources: + - url: https://github.com/sigstore/policy-controller/archive/refs/tags/{{ .SIGSTORE_POLICY_TESTER_VERSION }}.tar.gz + destination: sigstore-policy-controller.tar.gz + sha256: {{ .SIGSTORE_POLICY_TESTER_VERSION_SHA256 }} + sha512: {{ .SIGSTORE_POLICY_TESTER_VERSION_SHA512 }} + - url: https://github.com/BobyMCbobs/containerd-image-verifier-sigstore/archive/refs/tags/{{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION }}.tar.gz + destination: containerd-image-verifier-sigstore.tar.gz + sha256: {{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION_SHA256 }} + sha512: {{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION_SHA512 }} + env: + GOPATH: /tmp/go + cachePaths: + - /.cache/go-build + - /tmp/go/pkg + - network: default + prepare: + - | + sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml + - | + mkdir -p ${GOPATH}/src/github.com/sigstore/policy-controller + + tar -xzf sigstore-policy-controller.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/sigstore/policy-controller + - | + mkdir -p ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore + + tar -xzf containerd-image-verifier-sigstore.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore + - | + cd ${GOPATH}/src/github.com/sigstore/policy-controller + go mod download + - | + cd ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore + go mod download + - network: none + build: + - | + cd ${GOPATH}/src/github.com/sigstore/policy-controller + + mkdir ./bin + + CGO_ENABLED=0 go build -o ./bin/sigstore-policy-tester ./cmd/tester + - | + cd ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore + + mkdir ./bin + + CGO_ENABLED=0 go build -ldflags="-X 'main.DefaultPolicyDirPath=/var/local/etc/containers/sigstore/'" -o ./bin/containerd-image-verifier-sigstore . + install: + - | + cd ${GOPATH}/src/github.com/sigstore/policy-controller + mkdir -p /rootfs/usr/local/bin/ + cp -av bin/sigstore-policy-tester /rootfs/usr/local/bin/ + - | + cd ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore + mkdir -p /rootfs/usr/local/bin/containerd-image-verifier/ + cp -av bin/containerd-image-verifier-sigstore /rootfs/usr/local/bin/containerd-image-verifier/ + - | + mkdir -p /rootfs/etc/cri/conf.d + cp /pkg/10-containerd-image-verifier.part /rootfs/etc/cri/conf.d/ + test: + - | + mkdir -p /extensions-validator-rootfs + cp -r /rootfs/ /extensions-validator-rootfs/rootfs + cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml + /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}" +finalize: + - from: /rootfs + to: /rootfs + - from: /pkg/manifest.yaml + to: / diff --git a/tools/containerd-image-verifier-sigstore/vars.yaml b/tools/containerd-image-verifier-sigstore/vars.yaml new file mode 100644 index 00000000..a9c9d9a6 --- /dev/null +++ b/tools/containerd-image-verifier-sigstore/vars.yaml @@ -0,0 +1,2 @@ +VERSION: "{{ .SIGSTORE_POLICY_TESTER_VERSION }}" +CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION: "{{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION }}" diff --git a/tools/vars.yaml b/tools/vars.yaml index 6318224d..0462cb82 100644 --- a/tools/vars.yaml +++ b/tools/vars.yaml @@ -6,3 +6,11 @@ LIBNVME_SHA512: 96a1bbd6cea1e77381254e242e781b023416abfbf44c82a0aa6eb0b316b30316 NVME_CLI_VERSION: v2.14 NVME_CLI_SHA256: ff689ec0dabd32e8077a9fc0b2732067b08dedeef471aadea0136ae210f6edd1 NVME_CLI_SHA512: 7f600ee719f06283e136427a0f9eb0b22412f7f4549c774768caff54150207ba87e2a431ea1569e5ed86a554aecd23c00c4e8c351aa0168a81807c86a0cb2edc +# renovate: datasource=github-releases depName=sigstore/policy-tester +SIGSTORE_POLICY_TESTER_VERSION: v0.12.0 +SIGSTORE_POLICY_TESTER_VERSION_SHA256: f0a3545341b426a77452f58be10f01d194e157e8232bf512967fd36984dd096e +SIGSTORE_POLICY_TESTER_VERSION_SHA512: fb542d15b0b269e505888e41ba7af456e489d7592dca459b193e02ab59cbadd64c9bdcf23ef0323143f8c0905c2aecafad705bd56a31905f3e63dd311d022be1 +# renovate: datasource=github-releases depName=sigstore/policy-tester +CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION: v0.2.0 +CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION_SHA256: aaa04e076733dcc08a20d7636be588846dfbf371f55fb23e82d3c0440779972c +CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION_SHA512: cf62552a2842536fd07337eb7cdfb36afa6c795c99cb4eebdcaef0251848f4db2a763af21731d81af9fb6b46ccd4d604ca37c8ef7eaaad0d017722bb66cd2a4e