Skip to content

Use TUF signing config for probers #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aaronlew02 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Use TUF signing config for probers #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
190c7d6
Update probers for Rekor v2
aaronlew02 Sep 16, 2025
3bd2dd8
Use TUF signing config for probers
aaronlew02 Sep 29, 2025
cb1ee72
Update cosign
aaronlew02 Sep 30, 2025
8466189
Add Rekor v2 Fulcio E2E test
aaronlew02 Oct 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 1 addition & 5 deletions .github/workflows/prober-staging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,7 @@ jobs:
issues: write
with:
enable_staging: true
rekor_url: "https://rekor.sigstage.dev"
fulcio_url: "https://fulcio.sigstage.dev"
fulcio_grpc_url: "fulcio.sigstage.dev"
tsa_url: "https://timestamp.sigstage.dev"
oidc_url: "https://oauth2.sigstage.dev/auth"
rekor_v1_url: "https://rekor.sigstage.dev"
tuf_repo: "https://tuf-repo-cdn.sigstage.dev"
tuf_preprod_repo: "https://sigstore.github.io/root-signing-staging"
tuf_root_path: ".github/assets/sigstage.root.json"
Expand Down
32 changes: 20 additions & 12 deletions .github/workflows/rate-limiting.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,11 @@ jobs:
name: Nginx Rate Limiting Test
runs-on: ubuntu-latest
outputs:
rekor_staging: ${{ steps.rekor_staging.outputs.rekor_staging }}
rekor_v1_staging: ${{ steps.rekor_v1_staging.outputs.rekor_v1_staging }}
# rekor_v2_staging: ${{ steps.rekor_v2_staging.outputs.rekor_v2_staging }}
fulcio_staging: ${{ steps.fulcio_staging.outputs.fulcio_staging }}
tsa_staging: ${{ steps.tsa_staging.outputs.tsa_staging }}
rekor_prod: ${{ steps.rekor_prod.outputs.rekor_prod }}
rekor_v1_prod: ${{ steps.rekor_v1_prod.outputs.rekor_v1_prod }}
fulcio_prod: ${{ steps.fulcio_prod.outputs.fulcio_prod }}
summary: ${{ steps.msg.outputs.summary}}
steps:
Expand All @@ -31,12 +32,19 @@ jobs:
docker create --name binaries ghcr.io/sigstore/sigstore-probers /usr/local/bin/rate-limiting
docker cp binaries:/usr/local/bin/rate-limiting /usr/local/bin/

- name: Rate Limit Rekor Staging
id: rekor_staging
- name: Rate Limit Rekor v1 Staging
id: rekor_v1_staging
continue-on-error: true
run: |
echo "rekor_staging=success" >> $GITHUB_OUTPUT
rate-limiting --url https://rekor.sigstage.dev/api/v1/log || echo "rekor_staging=failed" >> $GITHUB_OUTPUT
echo "rekor_v1_staging=success" >> $GITHUB_OUTPUT
rate-limiting --url https://rekor.sigstage.dev/api/v1/log || echo "rekor_v1_staging=failed" >> $GITHUB_OUTPUT
# TODO(#538): Test Rekor v2 rate limiting when load testing is complete
# - name: Rate Limit Rekor v2 Staging
# id: rekor_v2_staging
# continue-on-error: true
# run: |
# echo "rekor_v2_staging=success" >> $GITHUB_OUTPUT
# rate-limiting --url https://log2025-alpha2.rekor.sigstage.dev/healthz || echo "rekor_v2_staging=failed" >> $GITHUB_OUTPUT
- name: Rate Limit Fulcio Staging
id: fulcio_staging
continue-on-error: true
Expand All @@ -49,12 +57,12 @@ jobs:
run: |
echo "tsa_staging=success" >> $GITHUB_OUTPUT
rate-limiting --url https://timestamp.sigstage.dev/api/v1/timestamp/certchain || echo "tsa_staging=failed" >> $GITHUB_OUTPUT
- name: Rate Limit Rekor Prod
id: rekor_prod
- name: Rate Limit Rekor v1 Prod
id: rekor_v1_prod
continue-on-error: true
run: |
echo "rekor_prod=success" >> $GITHUB_OUTPUT
rate-limiting --url https://rekor.sigstore.dev/api/v1/log || echo "rekor_prod=failed" >> $GITHUB_OUTPUT
echo "rekor_v1_prod=success" >> $GITHUB_OUTPUT
rate-limiting --url https://rekor.sigstore.dev/api/v1/log || echo "rekor_v1_prod=failed" >> $GITHUB_OUTPUT
- name: Rate Limit Fulcio Prod
id: fulcio_prod
continue-on-error: true
Expand Down Expand Up @@ -84,8 +92,8 @@ jobs:
{
"Failure URL": "https://github.com/sigstore/public-good-instance/actions/runs/${{ github.run_id }}",
"Commit": "${{ github.sha }}",
"Rekor Staging": "${{ needs.rate-limiting.outputs.rekor_staging }}",
"Rekor Prod": "${{ needs.rate-limiting.outputs.rekor_prod }}",
"Rekor v1 Staging": "${{ needs.rate-limiting.outputs.rekor_v1_staging }}",
"Rekor v1 Prod": "${{ needs.rate-limiting.outputs.rekor_v1_prod }}",
"Fulcio Staging": "${{ needs.rate-limiting.outputs.fulcio_staging }}",
"Fulcio Prod": "${{ needs.rate-limiting.outputs.fulcio_prod }}",
"Timestamp Staging": "${{ needs.rate-limiting.outputs.tsa_staging }}"
Expand Down
205 changes: 159 additions & 46 deletions .github/workflows/reusable-prober.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,31 +7,16 @@ on:
description: 'Integration key for PagerDuty'
required: true
inputs:
rekor_url:
rekor_v1_url:
required: false
type: string
default: 'https://rekor.sigstore.dev'
description: 'Rekor URL'
fulcio_url:
description: 'Rekor v1 URL'
rekor_v2_url:
required: false
type: string
default: 'https://fulcio.sigstore.dev'
description: 'Fulcio URL'
fulcio_grpc_url:
required: false
type: string
default: 'fulcio.sigstore.dev'
description: 'Fulcio GRPC URL'
tsa_url:
required: false
type: string
default: 'https://timestamp.sigstore.dev'
description: 'Timestamp URL'
oidc_url:
required: false
type: string
default: 'https://oauth2.sigstore.dev/auth'
description: 'OIDC URL'
default: 'https://log2025-alpha3.rekor.sigstage.dev'
description: 'Rekor v2 URL'
enable_staging:
required: false
type: boolean
Expand Down Expand Up @@ -91,7 +76,7 @@ jobs:
max_attempts: 3
retry_wait_seconds: 60
retry_on: error
command: prober --one-time --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --fulcio-grpc-url ${{ inputs.fulcio_grpc_url }} ${{ inputs.tsa_url != '' && format('--tsa-url {0}',inputs.tsa_url) || '' }}
command: prober --one-time ${{ inputs.enable_staging && '--staging' || '' }}

- name: Set messages
id: msg
Expand Down Expand Up @@ -146,7 +131,7 @@ jobs:
echo "root_state=good" >> $GITHUB_OUTPUT
if [ "${{ job.status }}" == 'failure' ]; then echo "root_state=failure" >> $GITHUB_OUTPUT; fi

rekor-fulcio-e2e:
rekor-v1-fulcio-e2e:
timeout-minutes: 10
permissions:
id-token: write
Expand All @@ -158,11 +143,10 @@ jobs:
GITHUB_RUN_ID: ${{ github.run_id }}
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
IMAGE: localhost:1338/image:${{ github.sha }}-${{ github.run_id }}
REKOR_SERVER: ${{ inputs.rekor_url }}
IDENTITY_REGEX: ${{ github.server_url }}/${{ github.repository }}/.github/workflows/reusable-prober.yml@refs/.*
runs-on: ubuntu-latest
outputs:
rekor_fulcio_e2e: ${{ steps.msg.outputs.rekor_fulcio_e2e }}
rekor_v1_fulcio_e2e: ${{ steps.msg.outputs.rekor_v1_fulcio_e2e }}
skip_pagerduty: ${{ steps.set-skip-pagerduty.outputs.skip_pagerduty }}
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
Expand All @@ -182,14 +166,16 @@ jobs:
run: |
echo "skip_pagerduty=true" >> $GITHUB_OUTPUT

- name: Extract relevant binaries
- name: Extract crane binary
run: |
docker pull ghcr.io/sigstore/sigstore-probers:latest
# the last argument in the next command is not used, it is required because the container doesn't have a default command
docker create --name binaries ghcr.io/sigstore/sigstore-probers /usr/local/bin/crane
docker cp binaries:/usr/local/bin/cosign /usr/local/bin/
docker cp binaries:/usr/local/bin/crane /usr/local/bin/

- name: Install cosign
uses: sigstore/[email protected]

# Setup the registry on port 1338
- run: |
PORT=1338 crane registry serve &
Expand Down Expand Up @@ -235,8 +221,8 @@ jobs:
- name: Sign and verify the image with preprod TUF
if: ${{ inputs.enable_staging == false }}
run: |
cosign sign --yes ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --oidc-issuer ${{ inputs.oidc_url }} --oidc-provider github-actions
cosign verify ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX"
cosign sign --yes ${IMAGE} --use-signing-config --rekor-url ${{ inputs.rekor_v1_url }} --oidc-provider github-actions --new-bundle-format
cosign verify ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX" --new-bundle-format

- name: Remove preprod TUF
run: |
Expand All @@ -257,21 +243,19 @@ jobs:

- name: Sign and verify the image
run: |
cosign sign --yes ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --oidc-issuer ${{ inputs.oidc_url }} --oidc-provider github-actions
cosign verify ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX"

cosign sign --yes ${IMAGE} --use-signing-config --rekor-url ${{ inputs.rekor_v1_url }} --oidc-provider github-actions --new-bundle-format
cosign verify ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX" --new-bundle-format
- name: Generate and upload attestation
run: |
cosign attest --predicate ./prober/attestation.json --type slsaprovenance --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --oidc-issuer ${{ inputs.oidc_url }} ${IMAGE}
cosign verify-attestation --rekor-url ${{ inputs.rekor_url }} --type=slsaprovenance ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX"

cosign attest --predicate ./prober/attestation.json --type slsaprovenance --use-signing-config ${IMAGE} --new-bundle-format
cosign verify-attestation --type=slsaprovenance ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX" --new-bundle-format
- name: Read entries from all Rekor shards
run: |
set -e

# get shard information from Rekor
response=$(curl -fs ${{ inputs.rekor_url }}/api/v1/log) || {
echo "Fetching loginfo from ${{ inputs.rekor_url }} failed, exiting..."; exit 1;
response=$(curl -fs ${{ inputs.rekor_v1_url }}/api/v1/log) || {
echo "Fetching loginfo from ${{ inputs.rekor_v1_url }} failed, exiting..."; exit 1;
}

# shard_sizes[0] is the size of the active shard, shard_sizes [1...n] are the sizes of the inactive shards
Expand Down Expand Up @@ -299,8 +283,8 @@ jobs:
fi

for index in "${result[@]}"; do
echo -n "Fetching index $index from ${{ inputs.rekor_url }} ... "
entry=$(curl -fs ${{ inputs.rekor_url }}/api/v1/log/entries?logIndex=$index) || {
echo -n "Fetching index $index from ${{ inputs.rekor_v1_url }} ... "
entry=$(curl -fs ${{ inputs.rekor_v1_url }}/api/v1/log/entries?logIndex=$index) || {
echo "failed!"; exit 1;
}
echo
Expand All @@ -311,8 +295,135 @@ jobs:
id: msg
if: success() || failure()
run: |
echo "rekor_fulcio_e2e=good" >> $GITHUB_OUTPUT
if [ "${{ job.status }}" == 'failure' ]; then echo "rekor_fulcio_e2e=failure" >> $GITHUB_OUTPUT; fi
echo "rekor_v1_fulcio_e2e=good" >> $GITHUB_OUTPUT
if [ "${{ job.status }}" == 'failure' ]; then echo "rekor_v1_fulcio_e2e=failure" >> $GITHUB_OUTPUT; fi

rekor-v2-fulcio-e2e:
timeout-minutes: 10
permissions:
id-token: write
contents: read
env:
COSIGN_YES: "true"
REKOR_URL: ${{ inputs.rekor_v2_url }}
GIT_HASH: ${{ github.sha }}
GIT_VERSION: unstable
GITHUB_RUN_ID: ${{ github.run_id }}
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
IMAGE: localhost:1338/image:${{ github.sha }}-${{ github.run_id }}
IDENTITY_REGEX: ${{ github.server_url }}/${{ github.repository }}/.github/workflows/reusable-prober.yml@refs/.*
runs-on: ubuntu-latest
outputs:
rekor_v2_fulcio_e2e: ${{ steps.msg.outputs.rekor_v2_fulcio_e2e }}
skip_pagerduty: ${{ steps.set-skip-pagerduty.outputs.skip_pagerduty }}
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

# This server is often down, resulting in a lot of flaky probers
# If the server is down, and this step fails, we don't alert PagerDuty
- name: Confirm Github OIDC Server is Available
continue-on-error: true
run: |
curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" $ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore

# Since the server is down, we want to ignore the failure in this workflow
# and skip paging PagerDuty
- name: Set skip_pagerduty outputs
id: set-skip-pagerduty
if: failure()
run: |
echo "skip_pagerduty=true" >> $GITHUB_OUTPUT

- name: Extract crane binary
run: |
docker pull ghcr.io/sigstore/sigstore-probers:latest
# the last argument in the next command is not used, it is required because the container doesn't have a default command
docker create --name binaries ghcr.io/sigstore/sigstore-probers /usr/local/bin/crane
docker cp binaries:/usr/local/bin/crane /usr/local/bin/

- name: Install cosign
uses: sigstore/[email protected]

# Setup the registry on port 1338
- run: |
PORT=1338 crane registry serve &

# this pulls a container from GHCR to avoid docker.io rate limiting and minimize network flake risk
- name: Build and copy a container image
run: |
docker pull ghcr.io/linuxcontainers/alpine
docker tag ghcr.io/linuxcontainers/alpine ${IMAGE}
docker push ${IMAGE}

# START: PREPRODUCTION VERIFICATION:
# * "Upgrade" cosign from prod to preprod TUF; sign and verify
# * Do not run this test for staging TUF
# TODO: Create a matrix (https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs)
# to reduce duplication

- name: Initialize prod TUF root
if: ${{ inputs.enable_staging == false }}
run: |
for i in {1..5}
do
if cosign initialize --mirror=${{ inputs.tuf_repo }} --root=${{ inputs.tuf_root_path }}; then
echo "Successfully initialized" && exit 0
else
echo "Failed to initialize" && sleep 10
fi
done

- name: Initialize preprod TUF root
if: ${{ inputs.enable_staging == false }}
run: |
for i in {1..5}
do
if cosign initialize --mirror=${{ inputs.tuf_preprod_repo }} --root=${{ inputs.tuf_root_path }}; then
echo "Successfully initialized" && exit 0
else
echo "Failed to initialize" && sleep 10
fi
done

- name: Sign and verify the image with preprod TUF
if: ${{ inputs.enable_staging == false }}
run: |
cosign sign --yes ${IMAGE} --use-signing-config --rekor-url ${{ inputs.rekor_v2_url }} --oidc-provider github-actions --new-bundle-format
cosign verify ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX" --new-bundle-format

- name: Remove preprod TUF
run: |
rm -rf ~/.sigstore
# END: PREPRODUCTION VERIFICATION

- name: Initialize TUF root
run: |
for i in {1..5}
do
if cosign initialize --mirror=${{ inputs.tuf_repo }} --root=${{ inputs.tuf_root_path }}; then
echo "Successfully initialized" && exit 0
else
echo "Failed to initialize" && sleep 10
fi
done
exit 1

- name: Sign and verify the image
run: |
cosign sign --yes ${IMAGE} --use-signing-config --rekor-url ${{ inputs.rekor_v2_url }} --oidc-provider github-actions --new-bundle-format
cosign verify ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX" --new-bundle-format

- name: Generate and upload attestation
run: |
cosign attest --predicate ./prober/attestation.json --type slsaprovenance --use-signing-config ${IMAGE} --new-bundle-format
cosign verify-attestation --type=slsaprovenance ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="$IDENTITY_REGEX" --new-bundle-format

- name: Set messages
id: msg
if: success() || failure()
run: |
echo "rekor_v2_fulcio_e2e=good" >> $GITHUB_OUTPUT
if [ "${{ job.status }}" == 'failure' ]; then echo "rekor_v2_fulcio_e2e=failure" >> $GITHUB_OUTPUT; fi

compute-summary-msg:
runs-on: ubuntu-latest
Expand All @@ -335,8 +446,8 @@ jobs:
fi

pagerduty-notification:
if: github.event.inputs.triggerPagerDutyTest=='true' || (failure() && needs.rekor-fulcio-e2e.outputs.skip_pagerduty != 'true')
needs: [sigstore-probe, root-probe, rekor-fulcio-e2e, compute-summary-msg]
if: github.event.inputs.triggerPagerDutyTest=='true' || (failure() && needs.rekor-v1-fulcio-e2e.outputs.skip_pagerduty != 'true')
needs: [sigstore-probe, root-probe, rekor-v1-fulcio-e2e, rekor-v2-fulcio-e2e, compute-summary-msg]
uses: ./.github/workflows/reusable-pager.yml
permissions:
contents: read
Expand All @@ -354,7 +465,8 @@ jobs:
"Commit": "${{ github.sha }}",
"Prober": "${{ needs.sigstore-probe.outputs.sigstore_probe }}",
"GCS Root": "${{ needs.root-probe.outputs.root_state }}",
"Rekor Fulcio E2E Test": "${{ needs.rekor-fulcio-e2e.outputs.rekor_fulcio_e2e }}"
"Rekor v1 Fulcio E2E Test": "${{ needs.rekor-v1-fulcio-e2e.outputs.rekor_v1_fulcio_e2e }}",
"Rekor v2 Fulcio E2E Test": "${{ needs.rekor-v2-fulcio-e2e.outputs.rekor_v2_fulcio_e2e }}"
}
links: >
[
Expand All @@ -369,9 +481,9 @@ jobs:
]

github-issue:
if: always() && (needs.sigstore-probe.result == 'failure' || needs.root-probe.result == 'failure' || needs.rekor-fulcio-e2e.result == 'failure')
if: always() && (needs.sigstore-probe.result == 'failure' || needs.root-probe.result == 'failure' || needs.rekor-v1-fulcio-e2e.result == 'failure' || needs.rekor-v2-fulcio-e2e.result == 'failure')
runs-on: ubuntu-latest
needs: [sigstore-probe, root-probe, rekor-fulcio-e2e, compute-summary-msg]
needs: [sigstore-probe, root-probe, rekor-v1-fulcio-e2e, rekor-v2-fulcio-e2e, compute-summary-msg]
permissions:
issues: write
steps:
Expand All @@ -384,5 +496,6 @@ jobs:
Commit: ${{ github.sha }}
Prober: ${{ needs.sigstore-probe.outputs.sigstore_probe }}
GCS Root: ${{ needs.root-probe.outputs.root_state }}
Rekor Fulcio E2E Test: ${{ needs.rekor-fulcio-e2e.outputs.rekor_fulcio_e2e }}
Rekor v1 Fulcio E2E Test: ${{ needs.rekor-v1-fulcio-e2e.outputs.rekor_v1_fulcio_e2e }}
Rekor v2 Fulcio E2E Test: ${{ needs.rekor-v2-fulcio-e2e.outputs.rekor_v2_fulcio_e2e }}
EOF
Loading
Loading