ci: image Signing (#22) - DOC-966

* ci: added image signing

* docs: added image signing

.github/workflows/release.yaml

@@ -123,10 +123,27 @@ jobs:
 
     - name: Build and Push Docker Image
       uses: docker/[email protected]
+      id: build-and-push
       with:
         context: .
         platforms: linux/amd64,linux/arm64
         push: true
         tags: ghcr.io/${{ github.repository }}:${{ needs.tag.outputs.VERSION }}
         build-args: |
-          VERSION=${{ needs.tag.outputs.VERSION }}
+          VERSION=${{ needs.tag.outputs.VERSION }}
+
+    - uses: sigstore/[email protected]
+
+    - name: Image Signing
+      run: |
+        cosign sign --yes \
+        -a "repo=${{ github.repository }}" \
+        -a "workflow=${{ github.workflow }}" \
+        -a "ref=${{ github.sha }}" \
+        -a "owner=Spectro Cloud" \
+        --key env://COSIGN_PRIVATE_KEY --recursive "${TAGS}@${DIGEST}"
+      env:
+        TAGS: ghcr.io/${{ github.repository }}:${{ needs.tag.outputs.VERSION }}
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        DIGEST: ${{ steps.build-and-push.outputs.digest }}

README.md

@@ -88,6 +88,7 @@ To learn more about SpectroMate, review the [internal](./docs/internal.md) techn
 | Verify Slack signature| ✅ | Verification of Slack signature is applied to all Slack endpoints.|
 | Metrics | ❌ | Currently unavailable. |
 | Proxy   |✅ | SpectroMate will honor the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` environment variables.|
+| Image Verification | ✅ | We sign our images through [Cosign](https://docs.sigstore.dev/signing/quickstart/). Review the [Image Verification](./docs/image-verification.md) page to learn more. |
 
 
 :warning: There is a limitation with `pask` messages when submitting feedback. The answer response message is replaced with a feedback acknowledgment message. This behavior stems from the Slack API not including the original message when handling action events from an ephemeral message.

docs/image-verification.md

@@ -0,0 +1,90 @@
+# Image Verification
+
+The Spectromate container image is signed using [Sigstore's](https://sigstore.dev/) Cosign. The container image is signed using a cryptographic key pair that is private and stored internally. The public key is available in the official Spectro Cloud documentation repository at [**static/cosign.pub**](https://raw.githubusercontent.com/spectrocloud/librarium/master/static/cosign.pub). Use the public key to verify the authenticity of the container image. You can learn more about the container image signing process by reviewing the [Signing Containers](https://docs.sigstore.dev/signing/signing_with_containers) documentation page.
+
+
+:::info
+
+Cosign generates a key pair that uses the ECDSA-P256 algorithm for the signature and SHA256 for hashes. The keys are stored in PEM-encoded PKCS8 format.
+
+:::
+
+
+Use the following command to verify the authenticity of the container image. Replace the image tag with the version you want to verify.
+
+```shell
+cosign verify --key https://raw.githubusercontent.com/spectrocloud/librarium/master/static/cosign.pub \
+ghcr.io/spectrocloud/spectromate:v1.0.7
+```
+
+If the container image is valid, the following output is displayed. The example output is formatted using `jq` to improve readability.
+
+```shell hideClipboard
+Verification for ghcr.io/spectrocloud/librarium:nightly --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+[
+  {
+    "critical": {
+      "identity": {
+        "docker-reference": "ghcr.io/spectrocloud/spectromate"
+      },
+      "image": {
+        "docker-manifest-digest": "sha256:285a95a8594883b3748138460182142f5a1b74f80761e2fecb1b86d3c9b9d191"
+      },
+      "type": "cosign container image signature"
+    },
+    "optional": {
+      "Bundle": {
+        "SignedEntryTimestamp": "MEYCIQCZ6FZzNB5wA9+W/lF57jx0qTaszZhg5FxJiBmgIFxPVwIhANnoQQ5gqjr1h93LCq1Td8BohqrxxIvfrXTnT1tYR4i7",
+        "Payload": {
+          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0MzU0MzFjNjY1Y2Y2ZGZjYzM0NzI2YWRkNjAzMDVjYjZlMzhlNjVkZmJlMWQ0NWU2ZGVkM2IzNzg3NTYwY2MxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUM0TFFxYVFDclhOc0VzdkI0ZE84bmtZSWg0L3o5UzdScGVEdUZnUDJwbDJ3SWdOdEJsNElDaHBmT3RnVDBlNW5QTmRMYWt4RTJHcnFFK0tjV1JXSGZPTnpnPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGV1VoeVl6SlhTVVV6WVhCTFRHMWplR3hHUmtoNVZsRkRVVnBYYUFveUsyRnNOVmN2Vmsxc1VISXpkVFJGV2k5V0wwZFBRbTAySzFrNVowWXpWWE16ZEhkMVpWaFpaMlJaWlVadk5XODNRbFZ1TnpCTlVGQjNQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=",
+          "integratedTime": 1702758491,
+          "logIndex": 57230483,
+          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
+        }
+      },
+      "owner": "Spectro Cloud",
+      "ref": "e597f70be238369ce4f0e5778492a155e23fec17",
+      "repo": "spectrocloud/spectromate",
+      "workflow": "Release"
+    }
+  }
+]
+```
+
+
+:::danger
+
+Do not use the container image if the authenticity cannot be verified. Verify you downloaded the correct public key and that the container image is from `ghcr.io/spectrocloud/spectromate`.
+
+:::
+
+If the container image is not valid, an error is displayed. The following example shows an error when the container image is not valid.
+
+```shell hideClipboard
+cosign verify --key https://raw.githubusercontent.com/spectrocloud/librarium/master/static/cosign.pub \
+ghcr.io/spectrocloud/spectromate:v1.0.66
+```
+
+```shell hideClipboard
+Error: no matching signatures: error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEheVfGYrVn2mIUQ4cxMJ6x09oXf82
+zFEMG++p4q8Mf+y2gp7Ae4oUaXk6Q9V7aVjjltRVN6SQcoSASxf2H2EpgA==
+-----END PUBLIC KEY-----
+, got -----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYHrc2WIE3apKLmcxlFFHyVQCQZWh
+2+al5W/VMlPr3u4EZ/V/GOBm6+Y9gF3Us3twueXYgdYeFo5o7BUn70MPPw==
+-----END PUBLIC KEY-----
+
+main.go:69: error during command execution: no matching signatures: error verifying bundle: comparing public key PEMs, expected -----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEheVfGYrVn2mIUQ4cxMJ6x09oXf82
+zFEMG++p4q8Mf+y2gp7Ae4oUaXk6Q9V7aVjjltRVN6SQcoSASxf2H2EpgA==
+-----END PUBLIC KEY-----
+, got -----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYHrc2WIE3apKLmcxlFFHyVQCQZWh
+2+al5W/VMlPr3u4EZ/V/GOBm6+Y9gF3Us3twueXYgdYeFo5o7BUn70MPPw==
+-----END PUBLIC KEY-----
+```