Skip to content

feat: add cosign signing for docker images in release pipeline #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mossaka merged 8 commits into from
Dec 4, 2025
Merged

feat: add cosign signing for docker images in release pipeline #89

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
510ead5
Initial plan
Copilot Dec 3, 2025
ec83387
feat: add cosign signing for docker images in release pipeline
Copilot Dec 3, 2025
631302b
docs: add cosign verification instructions to release template
Copilot Dec 3, 2025
29ee9e9
refactor: use anchore/sbom-action for secure sbom generation
Copilot Dec 3, 2025
0396f0b
docs: improve cosign installation instructions with security notes
Copilot Dec 3, 2025
d404a48
docs: emphasize package manager installation for cosign
Copilot Dec 3, 2025
dc0027c
chore: pin github actions to commit hashes
Copilot Dec 3, 2025
751f365
docs: move image verification to dedicated doc file
Copilot Dec 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ on:
permissions:
contents: write # Required for creating releases
packages: write # Required for pushing to GHCR
id-token: write # Required for cosign keyless signing

jobs:
build-and-release:
Expand Down Expand Up @@ -55,7 +56,11 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
Copy link

Copilot AI Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version comment indicates v3.5.0, but the PR description mentions v3.7.0 (visible in the firewall blocked URLs). Please verify that the commit hash 59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 corresponds to the intended version and update the comment accordingly to avoid confusion.

Suggested change
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
uses: sigstore/cosign-installer@b2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2 # v3.7.0

Copilot uses AI. Check for mistakes.

- name: Build and push Squid image
id: build_squid
uses: docker/build-push-action@v5
with:
context: ./containers/squid
Expand All @@ -66,7 +71,27 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Sign Squid image with cosign
run: |
cosign sign --yes \
ghcr.io/${{ github.repository }}/squid@${{ steps.build_squid.outputs.digest }}

- name: Generate SBOM for Squid image
uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0
with:
image: ghcr.io/${{ github.repository }}/squid@${{ steps.build_squid.outputs.digest }}
format: spdx-json
output-file: squid-sbom.spdx.json

- name: Attest SBOM for Squid image
run: |
cosign attest --yes \
--predicate squid-sbom.spdx.json \
--type spdxjson \
ghcr.io/${{ github.repository }}/squid@${{ steps.build_squid.outputs.digest }}

- name: Build and push Agent image
id: build_agent
uses: docker/build-push-action@v5
with:
context: ./containers/agent
Expand All @@ -77,6 +102,25 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Sign Agent image with cosign
run: |
cosign sign --yes \
ghcr.io/${{ github.repository }}/agent@${{ steps.build_agent.outputs.digest }}

- name: Generate SBOM for Agent image
uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0
with:
image: ghcr.io/${{ github.repository }}/agent@${{ steps.build_agent.outputs.digest }}
format: spdx-json
output-file: agent-sbom.spdx.json

- name: Attest SBOM for Agent image
run: |
cosign attest --yes \
--predicate agent-sbom.spdx.json \
--type spdxjson \
ghcr.io/${{ github.repository }}/agent@${{ steps.build_agent.outputs.digest }}

- name: Install pkg for binary creation
run: npm install -g pkg

Expand Down
41 changes: 41 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,47 @@ sudo awf --help

**Note:** Verify checksums after download by downloading `checksums.txt` from the release page.

### Docker Image Verification

All published Docker images are signed with [cosign](https://github.com/sigstore/cosign) using keyless signing. You can verify the signatures to ensure image authenticity and integrity:

```bash
# Install cosign (recommended: use package manager)
# See https://docs.sigstore.dev/cosign/installation/ for all installation options

# Homebrew (macOS/Linux)
# brew install cosign
Copy link
Collaborator

@Mossaka Mossaka Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove all of those from README. README should be concise and all of these instrucitons should go to docs. @copilot

Copy link
Contributor Author

Copilot AI Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to docs/image-verification.md with a concise reference in README. (751f365)


# Debian/Ubuntu (via official package repository)
# sudo apt update && sudo apt install -y cosign

# Quick install for testing (verify checksums from GitHub release page for production)
curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o cosign
chmod +x cosign
sudo mv cosign /usr/local/bin/

# Verify Squid image signature
cosign verify \
--certificate-identity-regexp 'https://github.com/githubnext/gh-aw-firewall/.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/githubnext/gh-aw-firewall/squid:latest

# Verify Agent image signature
cosign verify \
--certificate-identity-regexp 'https://github.com/githubnext/gh-aw-firewall/.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/githubnext/gh-aw-firewall/agent:latest

# Verify SBOM attestation
cosign verify-attestation \
--certificate-identity-regexp 'https://github.com/githubnext/gh-aw-firewall/.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--type spdxjson \
ghcr.io/githubnext/gh-aw-firewall/squid:latest
```

The images are signed during the release process using GitHub Actions OIDC tokens, ensuring they come from the official repository.

### Basic Usage

```bash
Expand Down
32 changes: 32 additions & 0 deletions docs/RELEASE_TEMPLATE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,35 @@ Published to GitHub Container Registry:
- `ghcr.io/{{REPOSITORY}}/agent:{{VERSION_NUMBER}}`
- `ghcr.io/{{REPOSITORY}}/squid:latest`
- `ghcr.io/{{REPOSITORY}}/agent:latest`

### Image Verification

All container images are signed with [cosign](https://github.com/sigstore/cosign) for authenticity and integrity verification:

```bash
# Install cosign (recommended: use package manager)
# See https://docs.sigstore.dev/cosign/installation/

# Homebrew: brew install cosign
# Debian/Ubuntu: sudo apt install cosign
# For other options, see the official documentation

# Direct download (⚠️ Verify checksums from GitHub release page for production use)
curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o cosign
chmod +x cosign && sudo mv cosign /usr/local/bin/

Copy link
Collaborator

@Mossaka Mossaka Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unbloat this @copilot

Copy link
Contributor Author

Copilot AI Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simplified to show just one example with a link to full docs. (751f365)

# Verify image signature (example for squid image)
cosign verify \
--certificate-identity-regexp 'https://github.com/{{REPOSITORY}}/.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/{{REPOSITORY}}/squid:{{VERSION_NUMBER}}

# Verify SBOM attestation
cosign verify-attestation \
--certificate-identity-regexp 'https://github.com/{{REPOSITORY}}/.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--type spdxjson \
ghcr.io/{{REPOSITORY}}/squid:{{VERSION_NUMBER}}
```

Images are signed using keyless signing with GitHub Actions OIDC tokens, ensuring they come from the official repository.