Refactor image signing to sign per-arch images immediately after push#194
Open
fabiocicerchia wants to merge 1 commit intomainfrom
Open
Refactor image signing to sign per-arch images immediately after push#194fabiocicerchia wants to merge 1 commit intomainfrom
fabiocicerchia wants to merge 1 commit intomainfrom
Conversation
Restructure the cosign signing flow so each per-arch image is signed with cosign and gets a CycloneDX SBOM attestation in the same CI job that pushed it, right after `docker push`. The multi-arch index (manifest list) continues to be signed in the Docker Bundle job after `docker manifest push`. This matches the standard Sigstore workflow (push → sign by digest) more literally and closes the window between publication and signature. - bin/sign-and-sbom.sh -> bin/sign-image.sh: renamed and repurposed as the "sign one image right after its push" path (sign by digest + attach SBOM + verify). - bin/sign-manifest.sh: simplified to handle only the manifest list index; per-arch signing and per-arch SBOM attachment are removed because they now happen in the per-arch jobs. Per-platform SBOMs are still attached to the index digest so tag-based consumers can retrieve SBOMs through the index tag. - Makefile: add `sign-image` target (previously referenced in docs/DEV.md but not implemented). - .circleci/config.yml: extract cosign/syft install into reusable `install_cosign` / `install_syft` commands; invoke them plus `make sign-image` after the "Push images" step in Docker AMD / Docker ARM; update the Docker Bundle step name to reflect its narrower scope. - SUPPLY_CHAIN_SECURITY.md: document when per-arch vs index signing happens in the pipeline.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refactors the image signing workflow to follow the standard Sigstore pattern of "push → sign by digest". Per-architecture images are now signed immediately after their individual
docker pushoperations in the per-arch CI jobs, rather than waiting for the manifest bundle job. This eliminates any window where unsigned images are available on the registry.Key Changes
Extract signing commands into reusable CircleCI commands: Created
install_cosignandinstall_syftcommands to eliminate duplication between the Docker AMD/ARM jobs and the Docker Bundle job.Sign per-arch images at push time: Added signing logic directly into the
dockercommand in CircleCI config that runs immediately afterdocker pushfor each architecture. This ensures per-arch images are signed as soon as they're pushed to the registry.Refactor manifest signing script: Updated
bin/sign-manifest.shto focus exclusively on signing the multi-arch index (manifest list) and attaching per-platform SBOMs to the index digest. Removed per-arch image signing logic since that now happens earlier in the pipeline.Create dedicated per-arch signing script: Renamed and refactored the signing logic into
bin/sign-image.shas a focused script for signing individual Docker images with SBOM attestation. Added to Makefile assign-imagetarget.Update documentation: Enhanced
SUPPLY_CHAIN_SECURITY.mdwith a new "When signing happens" section explaining the two-stage signing process and timing guarantees.Implementation Details
type=per-archto distinguish them from the index signatureretry_on_rate_limithelper for rate limit resiliencehttps://claude.ai/code/session_011RCjexzzqH6SL8uStCocDP