►
From YouTube: Keyless container image signing with GitLab
Description
Demo of the new keyless signing integration with GitLab, available now on GitLab.com.
- Release post: https://about.gitlab.com/releases/2023/07/22/gitlab-16-2-released/#support-for-keyless-signing-with-cosign
- Code used in this video: https://gitlab.com/bwill/container-signing/-/tree/aeb9ba494f2b5fb761c91ca53a221295eaf79ef3
- Cosign project: https://github.com/sigstore/cosign
- Sigstore policy controller: https://github.com/sigstore/policy-controller
A
Hi,
my
name
is
Brian
Williams
and
I'm.
A
senior
veteran
engineer
at
Gate
lab
today,
I'd
like
to
show
you
a
quick
demonstration
of
the
new
keyless
signing
with
cosine
integration,
that's
available
on
github.com.
A
What
this
is
is
a
tool
that
allows
you
to
sign
your
container
images
with
a
cryptographically,
verifiable
signature,
and
you
can
use
that
to
control
what
images
are
able
to
be
run
in
your
production
environment.
So
I
have
an
example,
project
setup
here,
where
I
have
added
signing
to
the
end
of
the
docker
build
process.
A
So
this
is
a
fairly
typical
Docker
build
where
we
have
a
Docker
file
and
we
would
just
build
the
dark
file
and
push
the
image
to
the
registry
and,
if
we're
on
the
default
Branch,
then
we'll
tag
that
image
as
latest.
What
the
cosine
integration
here
is
doing
is
with
just
a
few
commands.
A
We
can
also
sign
this
image
and
store
the
signature
in
a
container
registry
there's
a
few
things
that
need
to
happen.
In
order
to
do
this,
we
have
the
cosine,
yes,
true
variable.
This
is
just
to
accept,
like
an
end
user
agreement
with
with
sixture,
to
use
their
infrastructure
that
they
host
for
public
public
usage.
A
It
exposes
an
authentication
token
and
see
our
job
variables,
which
allows
cosine
to
authenticate
to
fossio,
which
is
a
service
that
issues
temporary
cryptographic
keys,
and
so
this
lets
us
do
both
signing
and
verification
without
having
to
manage
our
own
cryptographic.
Keys,
it's
done
using
temporary
ephemeral
keys
and
it
and
the
signatures
can
be
verified
using
a
similar
process.
A
The
checks
to
ensure
that
the
key
used
to
sign
the
image
was
valid
at
the
time
that
the
image
was
signed.
It
does
that
using
time,
stamping
and
transparency
log
and
a
few
other
things.
A
A
A
This
is
the
agreement
that
I
was
talking
about
earlier.
We've
automatically
accepted
that
and
it
publishes
an
entry
to
a
transparency
log
and
then
the
signature
is
also
hosted
in
the
registry.
Alongside
the
image
it's
stored,
there.
A
Then,
for
the
sake
of
example,
we
have
a
verification
job
which
verifies
the
image.
This
requires
no
credentials
at
all.
It
does
not
require
any
keys.
It
just
does
this
using
the
public
key
infrastructure
hosted
by
sixword,
and
this
image
is
valid,
but
you
typically
would
not
want
to
do
your
verification
in
the
pipeline.
What
you
would
want
to
do
is
have
your
kubernetes
cluster
verify
that
the
image
is
signed
and
you
can
do
that
using
the
Sig
store
admission
controller.
A
Oh
I'm,
sorry,
it's
called
positive
control
and
that
this
project
here
I,
should
have
had
this
open
already,
but
you
can
use
the
policy
controller
in
order
to
have
admission
rules
under
kubernetes
cluster
that
they
you're
not
allowed
to
run
images
that
aren't
signed,
and
you
can
do
this
to
make
sure
that
the
image
has
gone
through
code
reviews
and
approval
and
so
on.
A
If
you
verify
that
the
image
was
built
by
a
pipeline,
that's
on
a
protected
Branch
such
as
main
or
maybe
one
of
your
release,
branches
or
your
development
branch,
and
you
can
use
protective
Branch
rules
to
ensure
that
people
cannot
merge
any
changes
to
those
branches.
Without
approvals-
and
this
lets
you
add
an
extra
layer
of
control
to
ensure
that
people
cannot
run
arbitrary
images
in
the
kubernetes
cluster.
It
has
to
have
gone
through
code
view
as
I've
gone
through
approval.
It
has
to
have
been
built
by
the
CR
pipeline.
A
A
So
what
this
means
is
that
any
images
that
were
built
outside
the
main
branch
like
on
a
merger
Quest
on
the
development
Branch
in
any
of
those
pipelines,
they're
not
going
to
be
able
to
be
alert,
they're
not
going
to
be
allowed
to
run
in
production.
So
upside
is
positive.
A
A
But
the
image
wasn't
ready,
didn't
have
any
code
review,
it
didn't
have
any
approval
from
other
people,
so
this
image
might
not
be
good
and
I
have
I.
Have
you
know
a
deployment
that
uses
this
image
and
I'm
gonna?
Try
creating
this
deployment
with
the
one
from
the
development
branch.
A
A
And
now
it
works
I'm
allowed
to
create
my
deployment,
so
this
is
a
way
that
you
can
have
cryptographically
verified,
Patrol,
Firefly,
remote
controls
under
kubernetes
cluster
that
Ensure,
that
on
the
images
that
went
through
your
code
review
process
and
your
build
processes
are
allowed
to
run
in
your
kubernetes
cluster.
Thank
you.