v4.0.0 - Sign Images and SLSA-Provenance

[JeroenKnoops]

Sign Images with Cosign

Now you can use Cosign to sign images.
Add sign: true to the arguments and provide the cosign environment variables and the image will be signed.

You can generate a key-pair with cosign by doing the following thing:

cosign generate-key-pair

Store the values as GitHub Secrets in COSIGN_PRIVATE_KEY, COSIGN_PASSWORD and COSIGN_PUBLIC_KEY and you are ready to go.
See: https://github.com/philips-software/docker-ci-scripts#signing-the-image
You can verify an image by doing the following thing:

cosign verify --key cosign.pub <image-name> | jq .

Create SLSA-Provenance

You can create a SLSA-Provenance file. This feature is using https://github.com/philips-labs/slsa-provenance-action.
Add slsa-provenance: true to the arguments and a provenance.json file is created.
The filename is exported as output in slsa-provenance-file.
See: https://github.com/philips-software/docker-ci-scripts#with-slsa-provenance

Attach SLSA-Provenance to Image

When you are creating the SLSA-Provenance file and you provided the sign arguments and cosign environment variables, the SLSA-provenance file will be attached to the image.
You can verify the provenance by doing the following thing:

repodigest=$(docker inspect <image-name> | jq -r .[0].RepoDigests[0])
cosign verify-attestation --key cosign.pub $repodigest | jq -r '.payload' | base64 -d | jq .

Push indicator output

When the image was pushed to a registry, this indicator push-indicator is set to true.

Digest and tags outputs

container-digests and container-tags are set when images are pushed.

What's Changed

• Add digest and tags outputs for later use in provenance by @JeroenKnoops in Add digest and tags outputs for later use in provenance #88
• Add push-indicator by @JeroenKnoops in Add push-indicator #90
• Add SLSA Provenance feature by @JeroenKnoops in Add SLSA Provenance feature #94
• Attach provenance to image by @JeroenKnoops in Attach provenance to image #95
• Sign docker image with cosign by @JeroenKnoops in Sign docker image with cosign #96

Dependency Updates

• Bump docker from 20.10.8-git to 20.10.9-git by @dependabot in Bump docker from 20.10.8-git to 20.10.9-git #81
• Add GitHub registry example implementation by @Brend-Smits in Add GitHub registry example implementation #82
• Bump docker from 20.10.9-git to 20.10.10-git by @dependabot in Bump docker from 20.10.9-git to 20.10.10-git #83
• Bump azohra/shell-linter from 0.5.0 to 0.6.0 by @dependabot in Bump azohra/shell-linter from 0.5.0 to 0.6.0 #84
• Bump docker from 20.10.10-git to 20.10.11-git by @dependabot in Bump docker from 20.10.10-git to 20.10.11-git #85
• Bump docker from 20.10.11-git to 20.10.12-git by @dependabot in Bump docker from 20.10.11-git to 20.10.12-git #86
• Bump stefanzweifel/git-auto-commit-action from 4.12.0 to 4.13.0 by @dependabot in Bump stefanzweifel/git-auto-commit-action from 4.12.0 to 4.13.0 #91
• Replace master with main by @JeroenKnoops in Replace master with main #92
• Bump stefanzweifel/git-auto-commit-action from 4.13.0 to 4.13.1 by @dependabot in Bump stefanzweifel/git-auto-commit-action from 4.13.0 to 4.13.1 #93

New Contributors

• @Brend-Smits made their first contribution in Add GitHub registry example implementation #82

Full Changelog: v3.3.2...v4.0.0

---

This discussion was created from the release v4.0.0 - Sign Images and SLSA-Provenance.