From 0f9a84eecdcad494b2f283864492c5d832a8f1ac Mon Sep 17 00:00:00 2001 From: Grunet Date: Tue, 8 Aug 2023 22:54:48 -0500 Subject: [PATCH] Create process to check base image tamperment (#65) --- packages/honeypot/CHANGELOG.md | 5 +++++ packages/honeypot/Dockerfile | 4 ++-- packages/honeypot/MAINTENANCE.md | 24 +++++++++++++++++++++++- packages/honeypot/version.json | 2 +- 4 files changed, 31 insertions(+), 4 deletions(-) diff --git a/packages/honeypot/CHANGELOG.md b/packages/honeypot/CHANGELOG.md index 9a0a733..eeebf57 100644 --- a/packages/honeypot/CHANGELOG.md +++ b/packages/honeypot/CHANGELOG.md @@ -13,6 +13,11 @@ What is in scope for breaking changes includes ## Changes +### v0.4.6 + +- Update Chainguard base images in the Dockerfile +- Add steps in update process to check Chainguard base image signatures + ### v0.4.5 - Update Chainguard base images in the Dockerfile diff --git a/packages/honeypot/Dockerfile b/packages/honeypot/Dockerfile index d30ff53..2e0a926 100644 --- a/packages/honeypot/Dockerfile +++ b/packages/honeypot/Dockerfile @@ -1,7 +1,7 @@ # Adapted from https://edu.chainguard.dev/chainguard/chainguard-images/reference/python/overview/#usage # Python 3.11.4, dev base image. See https://www.chainguard.dev/unchained/a-guide-on-how-to-use-chainguard-images-for-public-catalog-tier-users for more details on how to update this -FROM cgr.dev/chainguard/python@sha256:759d011c3fc096b3e0ed7d3d77faa18ea49b5083fad3c2f04bcedb158734e742 as builder +FROM cgr.dev/chainguard/python@sha256:0e964fbb6ebb43ce466dc902c4bb29b0bfeb8f68b635ba9774e49e42e96ada18 as builder WORKDIR /app @@ -10,7 +10,7 @@ COPY requirements.txt . RUN pip install -r requirements.txt --user # Python 3.11.4, production base image. See https://www.chainguard.dev/unchained/a-guide-on-how-to-use-chainguard-images-for-public-catalog-tier-users for more details on how to update this -FROM cgr.dev/chainguard/python@sha256:2a6931375b21a4053e9961d559caa94ddb2546c2b00aedb508884fb03694999d +FROM cgr.dev/chainguard/python@sha256:6e512c60467cb53572112d8b5f1200d93cc7f883db01e57836fd93754f6bb4e8 # Make sure you update Python version in path COPY --from=builder /home/nonroot/.local/lib/python3.11/site-packages /home/nonroot/.local/lib/python3.11/site-packages diff --git a/packages/honeypot/MAINTENANCE.md b/packages/honeypot/MAINTENANCE.md index d8e3734..11be142 100644 --- a/packages/honeypot/MAINTENANCE.md +++ b/packages/honeypot/MAINTENANCE.md @@ -155,7 +155,29 @@ If the version is newer than the one in use, go follow the steps in the [python If the version is the same, that means there's only updates to the rest of the base image to be taken. -Follow these steps to update the base images +First, follow these steps to verify the Chainguard images haven't been replaced or tampered with + +1. [Install cosign](https://docs.sigstore.dev/cosign/installation/) (make sure to update the steps to use the latest version) +2. Run the following command to check the `latest-dev` image +```bash +cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/python:latest-dev +``` +3. Run the following command to check the `latest` image +```bash +cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/python:latest +``` + +The output of both should look like + +``` +Verification for cgr.dev/chainguard/python@latest -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The code-signing certificate was verified using trusted certificate authority certificates +``` + +If that's so, then follow these steps to update the base images 1. Navigate to https://edu.chainguard.dev/chainguard/chainguard-images/reference/python/overview/ 2. Inspect the date of the latest images releases, and make sure it's not too recent (e.g. the same day) diff --git a/packages/honeypot/version.json b/packages/honeypot/version.json index 70d423e..8a673d4 100644 --- a/packages/honeypot/version.json +++ b/packages/honeypot/version.json @@ -1,3 +1,3 @@ { - "version": "0.4.5" + "version": "0.4.6" } \ No newline at end of file