-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Are these the correct 'release' containers for log_[signer,server]? #2817
Comments
To sign the image releases using Cloudbuild we will need to define from where the signing key will come, if will be from a generated one using cosign or if we will use a keyless approach, and then for that, we will need to have a service account with the I prefer the second option, but then we will need some one from google with the Trillian GCP project access to create it. I can work on the Cloudbuild update to support that. |
@AlCutter could you take a look at this? |
Hi all, these images weren't really intended to be "release" images, they were more just for use in our CI environment which happened to also provide an easy way for folks to bring up a local instance for playing around with. I guess doing "proper" signed release images is something we could look into, but we'd have to schedule that into our planning cycle. |
@AlCutter let me know where i can help! will be glad to do |
@mhutchinson A related issue to what we chatted about. It would be helpful to log deployers if they could use a canonical image rather than maintain their own. Another alternative to Cloud Build would be using Goreleaser in a GitHub Actions workflow to cut and release containers. We've done this for some of the Sigstore projects, which will build both binaries and containers. Also it would be straightforward to sign the container with Cosign or generate provenance too. |
Hey there, in Sigstore we use Trillian and we were wondering if these are the correct locations where the released containers go (there were questions, since they were under trillian-opensource-ci)?
https://console.cloud.google.com/gcr/images/trillian-opensource-ci/GLOBAL/log_server
https://console.cloud.google.com/gcr/images/trillian-opensource-ci/GLOBAL/log_signer
Also, would it be possible to add signatures for them (or if they already are, pointer to it) so that we can verify they were indeed generated by the trusted releases.
The text was updated successfully, but these errors were encountered: