verify updater container image signatures using cosign

[JamieMagee]

Now that the updater container images are signed as part of dependabot/dependabot-core#9546, we need to verify those signatures when using those container images.

This change allows us to verify that the container images we pull were build by a GitHub Actions workflow in the main branch of https://github.com/dependabot/dependabot-core.

The code is equivalent to running:

$ cosign verify \
	ghcr.io/dependabot/dependabot-updater-<ecosystem>:latest \
	--certificate-oidc-issuer https://token.actions.githubusercontent.com \
	--certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-latest.yml@refs/heads/main

TODO:

• See if it's possible to decrease the number of dependencies this change adds

Related to #308

[JamieMagee]

OpenTelemetry containers are also signed with cosign:

$ cosign verify \
  docker.io/otel/opentelemetry-collector-contrib:latest \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/open-telemetry/opentelemetry-collector-releases/.github
/workflows/base-release.yaml@refs/tags/v0.99.0

Verification for index.docker.io/otel/opentelemetry-collector-contrib:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
...

[dmitris]

@JamieMagee - could you rebase & resolve the conflicts, please? I would hope to see this completed and merged - verifying the sigstore signatures is a great idea! 💯

[JamieMagee]

@dmitris done and done. I updated to v2 of cosign and added signature verification of the default OpenTelemetry container as well. Once the proxy container is signed this can be easily added as well.

[jeffwidman]

👍 on the overall idea.

When debugging, we may need to specify a custom version of the image... it's been a bit since I last did it, so I don't remember for sure if I was specifying an image that I'd built locally or from a PR against dependabot-core... but regardless it was not the image coming from main.

What would a developer need to do to get this signature verification to play nice with that workflow? Is it just commenting out a line of code somewhere?

[JamieMagee]

@jeffwidman You just need to add --verify-signatures false to any command you run with a locally built container image.

[dmitris]

@dmitris done and done. I updated to v2 of cosign and added signature verification of the default OpenTelemetry container as well. Once the proxy container is signed this can be easily added as well.

one more time, please (Resolve conflicts) 😃 - thanks!

[trevrosen]

cc @codysoyland @steiza

Cosign v2 seems like the right path here given that this is a public repo, but I'm copying Cody and Zach in case they think it makes sense to use the GH CLI's attestation package as an alternative. In any case I'm glad to see us using the Cosign updates that @codysoyland worked so hard to get merged upstream! 😆

[JamieMagee]

@trevrosen I'd also be interested to get a review on my use of the sigstore APIs. I'm not super familar with them, and want to make sure I'm using them correctly.

Also, here's the signing part of this in our dependabot-core repository:

https://github.com/dependabot/dependabot-core/blob/1e0f4829ac6d96aa4b28df285c859b1de62a15b0/.github/workflows/images-latest.yml#L70-L92

[codysoyland]

Hey! I'm a Cosign maintainer and work on GitHub Artifact Attestations. We recently added support for Sigstore Bundles as OCI referring artifacts for Cosign attestations using the --new-bundle-format flag. This is compatible with the attest-build-provenance we have built at GitHub; you can attest with actions/attest-build-provenance and verify with either cosign verify-attestation or with the GH CLI. The new format is how things will work by default in Cosign v3 and has better cross-language support and portability. I'd be happy to answer any questions about that or schedule a call!

[JamieMagee]

Thanks to @codysoyland for all the help.

I've managed to update this branch to use the new sigstore attestation bundle format. Unfortunately, the attestations we've been pushing until now have been using the old bundle format. However, Cody has sent out a PR to dependabot-core to publish using the new bundle format: dependabot/dependabot-core#12116. Once that's merged it'll unblock this branch.