Skip to content

Commit

Permalink
Create process to check base image tamperment (#65)
Browse files Browse the repository at this point in the history
  • Loading branch information
Grunet authored Aug 9, 2023
1 parent 2a1fcbb commit 0f9a84e
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 4 deletions.
5 changes: 5 additions & 0 deletions packages/honeypot/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ What is in scope for breaking changes includes

## Changes

### v0.4.6

- Update Chainguard base images in the Dockerfile
- Add steps in update process to check Chainguard base image signatures

### v0.4.5

- Update Chainguard base images in the Dockerfile
Expand Down
4 changes: 2 additions & 2 deletions packages/honeypot/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Adapted from https://edu.chainguard.dev/chainguard/chainguard-images/reference/python/overview/#usage

# Python 3.11.4, dev base image. See https://www.chainguard.dev/unchained/a-guide-on-how-to-use-chainguard-images-for-public-catalog-tier-users for more details on how to update this
FROM cgr.dev/chainguard/python@sha256:759d011c3fc096b3e0ed7d3d77faa18ea49b5083fad3c2f04bcedb158734e742 as builder
FROM cgr.dev/chainguard/python@sha256:0e964fbb6ebb43ce466dc902c4bb29b0bfeb8f68b635ba9774e49e42e96ada18 as builder

WORKDIR /app

Expand All @@ -10,7 +10,7 @@ COPY requirements.txt .
RUN pip install -r requirements.txt --user

# Python 3.11.4, production base image. See https://www.chainguard.dev/unchained/a-guide-on-how-to-use-chainguard-images-for-public-catalog-tier-users for more details on how to update this
FROM cgr.dev/chainguard/python@sha256:2a6931375b21a4053e9961d559caa94ddb2546c2b00aedb508884fb03694999d
FROM cgr.dev/chainguard/python@sha256:6e512c60467cb53572112d8b5f1200d93cc7f883db01e57836fd93754f6bb4e8

# Make sure you update Python version in path
COPY --from=builder /home/nonroot/.local/lib/python3.11/site-packages /home/nonroot/.local/lib/python3.11/site-packages
Expand Down
24 changes: 23 additions & 1 deletion packages/honeypot/MAINTENANCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,29 @@ If the version is newer than the one in use, go follow the steps in the [python

If the version is the same, that means there's only updates to the rest of the base image to be taken.

Follow these steps to update the base images
First, follow these steps to verify the Chainguard images haven't been replaced or tampered with

1. [Install cosign](https://docs.sigstore.dev/cosign/installation/) (make sure to update the steps to use the latest version)
2. Run the following command to check the `latest-dev` image
```bash
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/python:latest-dev
```
3. Run the following command to check the `latest` image
```bash
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/python:latest
```

The output of both should look like

```
Verification for cgr.dev/chainguard/python@latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
```

If that's so, then follow these steps to update the base images

1. Navigate to https://edu.chainguard.dev/chainguard/chainguard-images/reference/python/overview/
2. Inspect the date of the latest images releases, and make sure it's not too recent (e.g. the same day)
Expand Down
2 changes: 1 addition & 1 deletion packages/honeypot/version.json
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
{
"version": "0.4.5"
"version": "0.4.6"
}

0 comments on commit 0f9a84e

Please sign in to comment.