-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add artifact signature information to the generated index #312
Conversation
7b0509f
to
69a15ac
Compare
build/registry/go.mod
Outdated
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.34 | ||
github.com/aws/aws-sdk-go-v2/service/s3 v1.27.11 | ||
github.com/blang/semver v3.5.1+incompatible | ||
github.com/falcosecurity/falcoctl v0.3.0-rc6 | ||
github.com/falcosecurity/falcoctl v0.5.2-0.20230707100440-5e6ce83dedba |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Proposal: would we want to publish a pre-release?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have 0.6.1
released now :)
716c61e
to
8c543c3
Compare
"github.com/falcosecurity/plugins/build/registry/pkg/registry" | ||
) | ||
|
||
func TestPluginToIndexEntrySignature(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These unit tests assert the minimum expectations from this feature.
registryName = "ghcr.io" | ||
) | ||
|
||
var _ = Describe("Update index", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These black box unit test provide the minimum expected behaviour with specifications of the index update from the registry manifest. It should be then extended.
Hey @maxgio92 I lost track of this. What's the status? Is this ready to be merged? 🤔 cc @jasondellaluce @LucaGuerra PS I see some tests failing. |
Hi @leogr, sorry for the delay. The PR is ready to be reviewed. |
3cb64a4
to
bb81fd8
Compare
Signed-off-by: maxgio92 <[email protected]>
Signed-off-by: Massimiliano Giovagnoli <[email protected]>
…odel Signed-off-by: Massimiliano Giovagnoli <[email protected]>
Signed-off-by: Massimiliano Giovagnoli <[email protected]>
Signed-off-by: Massimiliano Giovagnoli <[email protected]>
Signed-off-by: Massimiliano Giovagnoli <[email protected]>
Hey @LucaGuerra, I've just rebased and upgraded falcoctl to v0.6.1 |
Thank you Max! I have performed a complete test of this patch by:
and it worked 🎉 I think we can merge this 🚀 |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leogr, maxgio92 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area registry
/area build
What this PR does / why we need it:
This PR is needed to provide required information for consumers in order to verify OCI signatures of plugins officially distributed as OCI artifacts.
The
registry.yaml
index is consumed by current CI to generate the general Falco artifacts index https://github.com/falcosecurity/falcoctl/blob/gh-pages/index.yaml, which can be further consumed by falcoctl to verify artifacts (i.e. plugins) signatures.Which issue(s) this PR fixes:
Fixes #306
Special notes for your reviewer:
Only one signin implementation is currently supported, which is based on cosign. When signatures are generated by cosign in keyless mode, can provide the OIDC issuer and certificate identity (see falcosecurity/falcoctl#305).
Furthermore, this PR adds black box and white box unit tests.
The same feature should be applied to the registry tool of the rules.