commit 6ea2fc3fbe96ae382e5c573c9da3b49498914a8c35b85bef7f1dd0a2d51e2fa6 Author: Dan Čermák Date: Mon Nov 25 11:58:29 2024 +0000 [info=c11ae7b91f877d53b9e7ed4d8ed6d010] OBS-URL: https://build.opensuse.org/package/show/devel:BCI:Tumbleweed/cosign-image?expand=0&rev=17 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..eb82349 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,55 @@ +# SPDX-License-Identifier: Apache-2.0 + +# Copyright (c) 2024 SUSE LLC + +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. + +# The content of THIS FILE IS AUTOGENERATED and should not be manually modified. +# It is maintained by the BCI team and generated by +# https://github.com/SUSE/BCI-dockerfile-generator + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# You can contact the BCI team via https://github.com/SUSE/bci/discussions + +#!UseOBSRepositories + +#!BuildTag: opensuse/cosign:%%cosign_version%%-%RELEASE% +#!BuildTag: opensuse/cosign:%%cosign_version%% +#!BuildTag: opensuse/cosign:2.4 +#!BuildTag: opensuse/cosign:2 +#!BuildTag: opensuse/cosign:latest + +FROM opensuse/bci/bci-micro:latest AS target +FROM opensuse/tumbleweed:latest AS builder +COPY --from=target / /target + +RUN set -euo pipefail; \ + zypper -n --installroot /target --gpg-auto-import-keys install --no-recommends cosign openSUSE-build-key; \ + zypper -n clean; \ + rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2} +# sanity check that the version from the tag is equal to the version of cosign that we expect +RUN set -euo pipefail; \ + [ "$(rpm --root /target -q --qf '%{version}' cosign | \ + cut -d '.' -f -2)" = "2.4" ] +FROM opensuse/bci/bci-micro:latest +COPY --from=builder /target / +# Define labels according to https://en.opensuse.org/Building_derived_containers +# labelprefix=org.opensuse.application.cosign +LABEL org.opencontainers.image.title="openSUSE Tumbleweed cosign" +LABEL org.opencontainers.image.description="Signing OCI containers using Sigstore, based on the openSUSE Tumbleweed Base Container Image." +LABEL org.opencontainers.image.version="%%cosign_version%%" +LABEL org.opencontainers.image.url="https://www.opensuse.org" +LABEL org.opencontainers.image.created="%BUILDTIME%" +LABEL org.opencontainers.image.vendor="openSUSE Project" +LABEL org.opencontainers.image.source="%SOURCEURL%" +LABEL org.opencontainers.image.ref.name="%%cosign_version%%-%RELEASE%" +LABEL org.opensuse.reference="registry.opensuse.org/opensuse/cosign:%%cosign_version%%-%RELEASE%" +LABEL org.openbuildservice.disturl="%DISTURL%" +LABEL org.opensuse.lifecycle-url="https://en.opensuse.org/Lifetime#openSUSE_BCI" +LABEL org.opensuse.release-stage="released" +# endlabelprefix +LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/SUSE/BCI-dockerfile-generator/Tumbleweed/cosign-image/README.md" +LABEL io.artifacthub.package.logo-url="https://raw.githubusercontent.com/sigstore/community/main/artwork/cosign/horizontal/color/sigstore_cosign-horizontal-color.svg" +ENTRYPOINT ["/usr/bin/cosign"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..f9bea21 --- /dev/null +++ b/README.md @@ -0,0 +1,63 @@ +# openSUSE Tumbleweed cosign +![Redistributable](https://img.shields.io/badge/Redistributable-Yes-green) + +## Description +Cosign aims to make signatures management easy. + +Cosign supports the following functionality: + +* "Keyless signing" with the Sigstore public good Fulcio certificate authority and Rekor transparency log (default) +* Hardware and KMS signing +* Signing with a Cosign-generated encrypted private/public keypair +* Container signing, verification and storage in an OCI registry. +* Bring-your-own public key infrastructure (PKI) + + +## Usage + +### Verify a container image + +To verify the image, specify a certificate subject +and a certificate issuer using the `--certificate-identity` and +`--certificate-oidc-issuer` flags: + +```shell +$ podman run registry.opensuse.org/opensuse/cosign:2.4 \ + verify $IMAGE \ + --certificate-identity=$IDENTITY \ + --certificate-oidc-issuer=$OIDC_ISSUER +``` + +You can also provide a regex for the certificate identity and issuer flags, +`--certificate-identity-regexp` and `--certificate-oidc-issuer-regexp`. For more information, see +[Keyless verification using OpenID Connect](https://docs.sigstore.dev/cosign/verifying/verify/#keyless-verification-using-openid-connect). + +### Verify a container image against a public key + +The `verify` command returns `0` if *at least one* `cosign`-formatted signature for +the image is found matching the public key. See the detailed usage below for +information and caveats on other signature formats. + +Valid payload is printed to stdout, in JSON format. Note that the +signed payload includes the digest of the container image, which indicated that these "detached" signatures apply to the correct image. + +```shell +$ podman run registry.opensuse.org/opensuse/cosign:2.4 verify --key cosign.pub $IMAGE_URI:1h +The following checks were performed on these signatures: + - The cosign claims were validated + - The signatures were verified against the specified public key +{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8"},"Type":"cosign container image signature"},"Optional":null} +``` + +For more use cases and information, refer to the +[sigstore cosign Quickstart](https://docs.sigstore.dev/quickstart/quickstart-cosign/). + +## Licensing + +`SPDX-License-Identifier: Apache-2.0` + +This documentation and the build recipe are licensed as Apache-2.0. +The container itself contains various software components under various open source licenses listed in the associated +Software Bill of Materials (SBOM). + +This image is based on [openSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/). diff --git a/_service b/_service new file mode 100644 index 0000000..5512d14 --- /dev/null +++ b/_service @@ -0,0 +1,10 @@ + + + + + Dockerfile + %%cosign_version%% + cosign + patch + + \ No newline at end of file diff --git a/cosign-image.changes b/cosign-image.changes new file mode 100644 index 0000000..ce4d76d --- /dev/null +++ b/cosign-image.changes @@ -0,0 +1,24 @@ +------------------------------------------------------------------- +Mon Nov 25 11:56:16 UTC 2024 - SUSE Update Bot + +- Add line breaks into package version check + +------------------------------------------------------------------- +Sun Nov 24 08:03:54 UTC 2024 - SUSE Update Bot + +- Add major version tag + +------------------------------------------------------------------- +Wed Nov 13 13:40:15 UTC 2024 - SUSE Update Bot + +- ship with openSUSE-build-keys + +------------------------------------------------------------------- +Wed Oct 30 15:34:45 UTC 2024 - SUSE Update Bot + +- remove nonsensical org.opencontainers.image.authors - duplication of .vendor + +------------------------------------------------------------------- +Wed Oct 30 12:55:17 UTC 2024 - SUSE Update Bot + +- First version of the cosign BCI