Skip to main content

[Community] Podman image build with sigstore

ยท 3 min read

This example shows how to build a container image with podman while verifying the base image and signing the resulting image.

The image being pulled uses a keyless signature, while the image being built will be signed by a pre-generated private key.

Prerequisitesโ€‹

Generate signing keypairโ€‹

You can use cosing or skopeo to generate the keypair.

Using skopeo:

skopeo generate-sigstore-key --output-prefix myKey

This command will generate a myKey.private and a myKey.pub keyfile.

Store the myKey.private as secret in Woodpecker. In the example below, the secret is called sigstore_private_key

Configure hosts pulling the resulting imageโ€‹

See here on how to configure the hosts pulling the built and signed image.

Repository structureโ€‹

Consider the Makefile having a build target that will be used in the following workflow. This target yields a Go binary with the filename app that will be placed in the root directory.

.
โ”œโ”€โ”€ Containerfile
โ”œโ”€โ”€ main.go
โ”œโ”€โ”€ go.mod
โ”œโ”€โ”€ go.sum
โ”œโ”€โ”€ .woodpecker.yml
โ””โ”€โ”€ Makefile

Containerfileโ€‹

The Containerfile refers to the base image that will be verified when pulled.

FROM gcr.io/distroless/static-debian12:nonroot
COPY app /app
CMD ["/app"]

Woodpecker workflowโ€‹

steps:
build:
image: docker.io/library/golang:1.21
pull: true
commands:
- make build

publish:
image: quay.io/podman/stable:latest
# Caution: This image is built daily. It might fill up your image store quickly.
pull: true
# Fill in the trusted checkbox in Woodpecker's settings as well
privileged: true
commands:
# Configure podman to use sigstore attachments for both, the registry you pull from and the registry you push to.
- |
printf "docker:
registry.gitlab.com:
use-sigstore-attachments: true
gcr.io:
use-sigstore-attachments: true" >> /etc/containers/registries.d/default.yaml

# At pull, check the keyless sigstore signature of the distroless image.
# This is a very strict container policy. It allows pulling from gcr.io/distroless only. Every other registry will be rejected.
# See https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md for more information.

# fulcio CA crt obtained from https://github.com/sigstore/sigstore/blob/main/pkg/tuf/repository/targets/fulcio_v1.crt.pem
# rekor public key obtained from https://github.com/sigstore/sigstore/blob/main/pkg/tuf/repository/targets/rekor.pub
# crt/key data is base64 encoded. --> echo "$CERT" | base64
- |
printf '{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"gcr.io/distroless": [
{
"type": "sigstoreSigned",
"fulcio": {
"caData": "LS0tLS1CRUdJTiBDR...QVRFLS0tLS0K",
"oidcIssuer": "https://accounts.google.com",
"subjectEmail": "keyless@distroless.iam.gserviceaccount.com"
},
"rekorPublicKeyData": "LS0tLS1CRUdJTiBQVUJ...lDIEtFWS0tLS0tCg==",
"signedIdentity": { "type": "matchRepository" }
}
]
},
"docker-daemon": {
"": [
{
"type": "reject"
}
]
}
}
}' > /etc/containers/policy.json

# Use this key to sign the built image at push.
- echo "$SIGSTORE_PRIVATE_KEY" > key.private
# Login at the registry
- echo $REGISTRY_LOGIN_TOKEN | podman login -u <username> --password-stdin registry.gitlab.com
# Build the container image
- podman build --tag registry.gitlab.com/<namespace>/<repository_name>/<image_name>:latest .
# Sign and push the image
- podman push --sign-by-sigstore-private-key ./key.private registry.gitlab.com/<namespace>/<repository_name>/<image_name>:latest

secrets: [sigstore_private_key, registry_login_token]