Comments (2)
JamieMagee
commented on June 12, 2024
It worked for the branch images. Here's the logs for the Bundler image from #9571
Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...
The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at [https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.](https://lfprojects.org/policies/hosted-project-tools-terms-of-use/)
Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
This may include the email address associated with the account with which you authenticate your contractual Agreement.
This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at [https://lfprojects.org/policies/hosted-project-tools-immutable-records/.](https://lfprojects.org/policies/hosted-project-tools-immutable-records/)
By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
tlog entry created with index: 88201941
Pushing signature to: ghcr.io/dependabot/dependabot-updater-bundler
I can view that record on Rekor: https://search.sigstore.dev/?logIndex=88201941
And I can also verify the claims and certificates using cosign
$ cosign verify \
ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-branch.yml@refs/pull/9571/merge
Verification for ghcr.io/dependabot/dependabot-updater-bundler@sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
...
The rest of the output is quite large, so I've put it below:
Expand for details
[
{
"critical": {
"identity": {
"docker-reference": "ghcr.io/dependabot/dependabot-updater-bundler"
},
"image": {
"docker-manifest-digest": "sha256:32137fcccb1700db2225587464ad9ece4c3e0dc0cb0f50540df830eb49956513"
},
"type": "cosign container image signature"
},
"optional": {
"1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
"1.3.6.1.4.1.57264.1.2": "pull_request",
"1.3.6.1.4.1.57264.1.3": "04e44db333752305ff158277a737f260da674f14",
"1.3.6.1.4.1.57264.1.4": "Branch images",
"1.3.6.1.4.1.57264.1.5": "dependabot/dependabot-core",
"1.3.6.1.4.1.57264.1.6": "refs/pull/9571/merge",
"Bundle": {
"SignedEntryTimestamp": "MEQCIEDfF7Cwl1jvWw+Hvg1RAWKFt5OhEHQsYqYCfRgnFDx1AiAJQJ2nvBvHtBVf95Ln5hzXTcs2JAFI4LPQ3CfDqTPWbA==",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxMzFmYTc1MDBmNzBjNzA5YmEzMjM4OGFkNzBhYTgzYWQwNGJhZDQwN2FmZjI3NmRlZjgxMjMyMGU2YjYwYjg2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQ3BxK2RaZllnM0NPR2hkVnBMb0o5YUVLNDZXdncyKzl4VmUrd1IvN0x3S0FpQWNVTXFPQ2F0bTI5ZlFjN0liK0c3bHFlaDFCR0hOOWFsRDBkcTFTREFzSmc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaEhha05EUW5GRFowRjNTVUpCWjBsVlFtOUVVVWQxTUV0bGNrcHBWU3RPYkd0c1lXbHZZbHBoUml0TmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDVFU1RCTlJFa3hUa1JKTlZkb1kwNU5hbEYzVGtSSk1FMUVUWGRPUkVrMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZIVnpSR1dHUllUSEJ6Y2tocE5WWk5ibTVEWkROa1NUQkNlbWxHU0hkSlNFcEphMGNLTDJGSlZqQmlUSEF2ZUZrMmJIVllTSEo0VVdrMVpWQkxWMU5PWlc1ekswVllka1ZzTkRKbVdXaEZRakowT0ZsdloyRlBRMEppT0hkbloxYzNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlVyWWxWRUNtSXJlV05NVFdJdlYzUXljRzFaVm14cFdIcHRieXRKZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJSQldVUldVakJTUVZGSUwwSkhiM2RoU1ZwdFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKU2JHTkhWblZhUjBacFlqTlJkZ3BhUjFaM1dsYzFhMWxYU25aa1F6RnFZak5LYkV4NU5XNWhXRkp2WkZkSmRtUXlPWGxoTWxwellqTmtla3d5YkhSWlYyUnNZM2t4YVdOdFJuVlpNbWQxQ21WWE1YTlJTRXBzV201TmRtTklWbk5pUXpnMVRsUmplRXd5TVd4amJXUnNUVVJyUjBOcGMwZEJVVkZDWnpjNGQwRlJSVVZMTW1nd1pFaENlazlwT0hZS1pFYzVjbHBYTkhWWlYwNHdZVmM1ZFdONU5XNWhXRkp2WkZkS01XTXlWbmxaTWpsMVpFZFdkV1JETldwaU1qQjNSMmRaUzB0M1dVSkNRVWRFZG5wQlFncEJaMUZOWTBoV2MySkdPWGxhV0VZeFdsaE9NRTFFV1VkRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSQk1GcFVVVEJhUjBsNlRYcE5NMDVVU1hwTlJGWnRDbHBxUlRGUFJFa3pUakpGTTAxNlpHMU5hbGwzV2tkRk1rNTZVbTFOVkZGM1IzZFpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVVNVJia3BvWW0xT2IwbEhiSFFLV1Zka2JHTjZRVzlDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa0p3YTFwWVFteGliVkpvV1cwNU1Fd3lVbXhqUjFaMVdrZEdhV0l6VVhSWk1qbDVXbFJCYVFwQ1oyOXlRbWRGUlVGWlR5OU5RVVZIUWtKU2VWcFhXbnBNTTBJeFlrZDNkazlVVlROTlV6bDBXbGhLYmxwVVFUZENaMjl5UW1kRlJVRlpUeTlOUVVWSkNrSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFaRU0xYW1JeU1IY0taR2RaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbTlFUjFwdlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyV2tkV2QxcFhOV3RaVjBwMlpFTTVhd3BhV0VKc1ltMVNhRmx0T1RCTVYwNTJZMjFWZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbUZYTVdoYU1sWjZURmRLZVZsWE5XcGhRelUxQ21KWGVFRmpiVlp0WTNrNWQyUlhlSE5NZW1zeFRucEZkbUpYVm5sYU1sVjNUMEZaUzB0M1dVSkNRVWRFZG5wQlFrTm5VWEZFUTJkM1RrZFZNRTVIVW1rS1RYcE5lazU2VlhsTmVrRXhXbTFaZUU1VVozbE9lbVJvVG5wTk0xcHFTVEpOUjFKb1RtcGpNRnBxUlRCTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGelJRcEVkM2RPV2pKc01HRklWbWxNVjJoMll6TlNiRnBFUVRsQ1oyOXlRbWRGUlVGWlR5OU5RVVZOUWtNNFRVeFhhREJrU0VKNlQyazRkbG95YkRCaFNGWnBDa3h0VG5aaVV6bHJXbGhDYkdKdFVtaFpiVGt3VERKU2JHTkhWblZhUjBacFlqTlJkRmt5T1hsYVZFRTBRbWR2Y2tKblJVVkJXVTh2VFVGRlRrSkRiMDBLUzBSQk1GcFVVVEJhUjBsNlRYcE5NMDVVU1hwTlJGWnRXbXBGTVU5RVNUTk9Na1V6VFhwa2JVMXFXWGRhUjBVeVRucFNiVTFVVVhkS1FWbExTM2RaUWdwQ1FVZEVkbnBCUWtSblVWZEVRbEo1V2xkYWVrd3pRakZpUjNkMlQxUlZNMDFUT1hSYVdFcHVXbFJCV1VKbmIzSkNaMFZGUVZsUEwwMUJSVkJDUVc5TkNrTkVhM3BOVkZsNlRVUmplazFETUVkRGFYTkhRVkZSUW1jM09IZEJVa0ZGU0hkM1pHRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eVVtd0tZMGRXZFZwSFJtbGlNMUYzUjBGWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVV0RVFXZDVUbnBOTUU1NlVUTk9ha0l5UW1kdmNrSm5SVVZCV1U4dlRVRkZVd3BDUjJkTldtMW9NR1JJUW5wUGFUaDJXakpzTUdGSVZtbE1iVTUyWWxNNWExcFlRbXhpYlZKb1dXMDVNRXd5VW14alIxWjFXa2RHYVdJelVYUlpNamw1Q2xwVE9IVmFNbXd3WVVoV2FVd3paSFpqYlhSdFlrYzVNMk41T1hCaVYwWnVXbGhOZEZsdVNtaGliVTV2VEc1c2RHSkZRbmxhVjFwNlRETkNNV0pIZDNZS1QxUlZNMDFUT1hSYVdFcHVXbFJCTkVKbmIzSkNaMFZGUVZsUEwwMUJSVlJDUTI5TlMwUkJNRnBVVVRCYVIwbDZUWHBOTTA1VVNYcE5SRlp0V21wRk1RcFBSRWt6VGpKRk0wMTZaRzFOYWxsM1drZEZNazU2VW0xTlZGRjNTRUZaUzB0M1dVSkNRVWRFZG5wQlFrWkJVVTlFUVhoM1pGZDRjMWd6U214aldGWnNDbU16VVhkWlFWbExTM2RaUWtKQlIwUjJla0ZDUmxGU1UwUkdRbTlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmFSMVozV2xjMWExbFhTbllLWkVNNWExcFlRbXhpYlZKb1dXMDVNRXhYVG5aamJWVjJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZaelJOVkVGNlRWUkJlVTU2YTNaWldGSXdXbGN4ZHdwa1NFMTJUVlJCVjBKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhVkZaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamRDU0d0QkNtUjNRakZCVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcWR6UkhjbUUwUVVGQlVVUUtRVVZaZDFKQlNXZEpUbFZPUVRaM1pFSkllU3Q2UXl0aVREQnhVR0ZNZDA5UmNWWXliVmRKY0c4eVNGZFJUWGxMTVZOclEwbEVkMmgwVTJOTFFXVnBOd3AzT0V3eGNWSTJTbkZGWW1WcU4wTjRhVTVFTUZod1MxZEpZMGREVlZKV1RVMUJiMGREUTNGSFUwMDBPVUpCVFVSQk1tZEJUVWRWUTAxUlJHVkpSekJGQ2tONmNuRjNTWEZvUTNBeWRubHhSSFpQYW1NeVZteHJjWEJwY0VKNVRXYzFPVTVuYlRocU1EWlRZVWRJTDBSdGJTdHFZelZEVmpGMlVtNWpRMDFETVdVS05rUlhUbXB3YjJWcVFVVm5PRkJySzFkc2RETkhPRTQwS3pGc2NYTmhVMk5aWW5sNE5sSjNPRXgyUmpZME16TlpRV2h5U2pSb1RHRTNRV1Z0V1hjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0ifX19fQ==",
"integratedTime": 1713927270,
"logIndex": 88201941,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
},
"Issuer": "https://token.actions.githubusercontent.com",
"Subject": "https://github.com/dependabot/dependabot-core/.github/workflows/images-branch.yml@refs/pull/9571/merge",
"githubWorkflowName": "Branch images",
"githubWorkflowRef": "refs/pull/9571/merge",
"githubWorkflowRepository": "dependabot/dependabot-core",
"githubWorkflowSha": "04e44db333752305ff158277a737f260da674f14",
"githubWorkflowTrigger": "pull_request"
}
}
]The signature is also published to our container registry. For the same bundler image I mentioned above:
The signature is available at:
This allows us, and others, to verify where Dependabot container images were built.
Now that this is verified working, and backwards compatible, I think this can be merged and signing can be rolled out to the rest of the containers we push as well.
from dependabot-core.
JamieMagee
commented on June 12, 2024
With #9616 merged and deployed all production images will now be signed with cosign going forward.
$ cosign verify \
ghcr.io/dependabot/dependabot-updater-bundler:latest \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-latest.yml@refs/heads/main
...
from dependabot-core.
Related Issues (20)
- Enable YJIT
- Allow custom command execution before install
- Dependabot PR titles suddenly less specific: `across 1 directory` rather than `in /website` HOT 2
- `GET /{package}/{version}` on GitHub Packages returns 405
- Bot attempts to update pre-1.0 minor version number
- Dependabot can't parse your `pnpm-lock.yaml` (new lockfile in `pnpm` `v9.0.0`) HOT 2
- `dependency-type: development` updates even production dependencies in composer ecosystem HOT 1
- skip X number of versions of a package HOT 1
- Github Graphql returns none for author if dependabot PR
- NuGet version update with version number having 4 segments fail
- Updating Terrafrom version for tfenv
- Dependabot tries to update more dependencies than declared HOT 1
- @dependabot ignore X patch version only works in group PR
- Multi-directory support bug with go, terraform, docker HOT 4
- Multi-directory PR creation with Terraform HOT 1
- Ant/Ivy Support
- Unable to rebase with dependency "next"
- Dependabot keeps sending in separate PR's instead of grouping them
- NuGet update with packages.config doesn't consider targets files
- Add update types for Cargo-style (in)compatible version upgrades
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependabot-core.