Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add proposal for producing supply chain metadata for all ratify assets #1641

Merged

Conversation

akashsinghal
Copy link
Collaborator

Description

What this PR does / why we need it:

This pull request introduces significant changes to the docs/proposals/Release-Supply-Chain-Metadata.md file, outlining a comprehensive plan for improving the integrity and verifiability of Ratify's release assets. Key changes include proposals for signing all container images and binaries, generating Software Bill of Materials (SBOMs) for all assets, and publishing provenance information for each binary. The changes are organized into two stages of implementation and a future "to be determined" stage.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

  • Test A
  • Test B

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

Copy link

codecov bot commented Jul 18, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

see 1 file with indirect coverage changes


### Referrer Artifacts (TBD)

As a future improvement, Ratify can look into attaching the SLSA build provenance metadata as a referrer artifact attached to the image. This might be in the form of a standalone artifact or packaged in an in-toto attestation.
Copy link
Collaborator

@FeynmanZhou FeynmanZhou Jul 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is generating the SLSA build provenance attestation metadata as a referrer an external dependency on docker buildx?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. The slsa generator action just needs the binary hashes to associate provenance with. The rest is handled by the workflow. https://github.com/slsa-framework/slsa-github-generator?tab=readme-ov-file#what-is-slsa-github-generator

Copy link
Collaborator

@FeynmanZhou FeynmanZhou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @akashsinghal . PTAL at my comments above

@akashsinghal akashsinghal force-pushed the akashsinghal/signingassets branch from 1be0b22 to a763799 Compare July 23, 2024 17:40
susanshi
susanshi previously approved these changes Jul 30, 2024
Copy link
Collaborator

@susanshi susanshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Akash, LGTM.

One minor details for the Q&A. "Do we need to publish the same artifacts as referrers as well or is it sufficient to use docker buildx attestations? Ratify will consider this in the future as need arises."

Could you remind us the reason to implement buildx attestations over referrers. thanks!

@akashsinghal
Copy link
Collaborator Author

Thanks Akash, LGTM.

One minor details for the Q&A. "Do we need to publish the same artifacts as referrers as well or is it sufficient to use docker buildx attestations? Ratify will consider this in the future as need arises."

Could you remind us the reason to implement buildx attestations over referrers. thanks!

Buildx attestations are used in other OSS projects while referrers for the same content is not adopted in other larger projects. That's the only reason why to start with buildx attestations over referrers.

FeynmanZhou
FeynmanZhou previously approved these changes Jul 30, 2024
Copy link
Collaborator

@FeynmanZhou FeynmanZhou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

binbin-li
binbin-li previously approved these changes Jul 31, 2024
junczhu
junczhu previously approved these changes Jul 31, 2024
Copy link
Collaborator

@junczhu junczhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@akashsinghal akashsinghal enabled auto-merge (squash) July 31, 2024 17:35
Copy link
Collaborator

@susanshi susanshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. thanks!

@akashsinghal akashsinghal merged commit bd97bc2 into ratify-project:dev Jul 31, 2024
16 checks passed
akashsinghal added a commit to akashsinghal/ratify that referenced this pull request Sep 13, 2024
binbin-li pushed a commit to binbin-li/ratify that referenced this pull request Sep 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants