From 0db0a48bb25488a89ccd29e16da8d6b3c87d641f Mon Sep 17 00:00:00 2001 From: Chris Porter Date: Wed, 23 Oct 2024 14:24:03 +0000 Subject: [PATCH] Codify the creation of test containers Signed-off-by: Chris Porter --- .github/workflows/build-test-containers.yaml | 62 +++++++++ container-images/Makefile | 118 ++++++++++++++++++ container-images/configs/ocicrypt.conf | 5 + .../dockerfiles/alpine-with-sshd/Dockerfile | 21 ++++ .../dockerfiles/busybox/Dockerfile | 3 + container-images/keys/encrypt/key1 | 1 + container-images/keys/sign/README.md | 79 ++++++++++++ container-images/keys/sign/cosign.key | 11 ++ container-images/keys/sign/cosign.pub | 4 + .../keys/sign/git-runner-password.txt | 1 + container-images/keys/sign/github-runner.keys | Bin 0 -> 3772 bytes container-images/keys/ssh/ccv0-ssh | 7 ++ container-images/keys/ssh/ccv0-ssh.pub | 1 + .../keys/ssh/ssh_host_ed25519_key | 7 ++ .../keys/ssh/ssh_host_ed25519_key.pub | 1 + container-images/scripts/make-cosign-sig.exp | 16 +++ 16 files changed, 337 insertions(+) create mode 100644 .github/workflows/build-test-containers.yaml create mode 100644 container-images/Makefile create mode 100644 container-images/configs/ocicrypt.conf create mode 100644 container-images/dockerfiles/alpine-with-sshd/Dockerfile create mode 100644 container-images/dockerfiles/busybox/Dockerfile create mode 100644 container-images/keys/encrypt/key1 create mode 100644 container-images/keys/sign/README.md create mode 100644 container-images/keys/sign/cosign.key create mode 100644 container-images/keys/sign/cosign.pub create mode 100644 container-images/keys/sign/git-runner-password.txt create mode 100644 container-images/keys/sign/github-runner.keys create mode 100644 container-images/keys/ssh/ccv0-ssh create mode 100644 container-images/keys/ssh/ccv0-ssh.pub create mode 100644 container-images/keys/ssh/ssh_host_ed25519_key create mode 100644 container-images/keys/ssh/ssh_host_ed25519_key.pub create mode 100755 container-images/scripts/make-cosign-sig.exp diff --git a/.github/workflows/build-test-containers.yaml b/.github/workflows/build-test-containers.yaml new file mode 100644 index 0000000..128c3f0 --- /dev/null +++ b/.github/workflows/build-test-containers.yaml @@ -0,0 +1,62 @@ +name: Build Test Containers +run-name: Build Test Containers +on: + workflow_dispatch: + push: + branches: + - 'main' + paths: + - 'container-images' + - '.github/workflows/build-test-containers.yaml' +jobs: + Explore-GitHub-Actions: + env: + RUSTC_VERSION: 1.72.0 + runs-on: ubuntu-24.04 + + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Check out guest-components + uses: actions/checkout@v4 + with: + repository: confidential-containers/guest-components + ref: refs/heads/main + path: ./guest-components + - name: Install Protoc + uses: arduino/setup-protoc@v3 + - name: Import github@runner.com key + working-directory: container-images + run: gpg --batch --import keys/sign/github-runner.keys + - name: Install expect + run: sudo apt-get install -y expect + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: "v2.4.1" + - name: Log in to ghcr + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Make all + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + run: | + cd guest-components/attestation-agent/coco_keyprovider + cargo build --release + RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 & + cd ../../../container-images + echo "Waiting for coco-keyprovider on localhost:50000" + timeout_count=1 + while ! nc -z localhost 50000; do + timeout_count=$((timeout_count+1)) + sleep 1 + if [ $timeout_count == 5 ]; then + echo "ERROR: Timed out. Exiting." + exit 1 + fi + done + echo "coco-keyprovider is ready" + make all diff --git a/container-images/Makefile b/container-images/Makefile new file mode 100644 index 0000000..1bda3b9 --- /dev/null +++ b/container-images/Makefile @@ -0,0 +1,118 @@ +# +# This makefile's targets rebuild various container images that can be used +# for development and testing in the CoCo project. +# They also are intended to serve as an up-to-date reference for creating +# new images. +# +# Note: The targets push to ghcr, which requires proper credentials and +# `docker login`. +# + +.PHONY: unsig \ +cosign-sig \ +simple-sig \ +enc-unsig \ +enc-cosign-sig \ +test-container-unencrypted \ +test-container-encrypted \ +busybox + +SHELL=/bin/bash + + +# FIXME need to choose sane package URLs/names/tags +COCO_PKG=confidential-containers/test-container +COCO_PKG_IMGRS=confidential-cointainers/test-container-image-rs + + + +all: \ + unsig \ + cosign-sig \ + simple-sig \ + enc-unsig \ + enc-cosign-sig \ + test-container-unencrypted \ + test-container-encrypted \ + busybox + + + +unsig: + docker build \ + -t ghcr.io/$(COCO_PKG):unsig \ + -f dockerfiles/alpine-with-sshd/Dockerfile \ + . + docker push ghcr.io/$(COCO_PKG):unsig + + +cosign-sig: + docker build \ + -t ghcr.io/$(COCO_PKG):cosign-sig \ + -f dockerfiles/alpine-with-sshd/Dockerfile \ + . + docker push ghcr.io/$(COCO_PKG):cosign-sig + # FIXME Replace expect script with something better + ${CURDIR}/scripts/make-cosign-sig.exp $(COCO_PKG) cosign-sig + + +# NOTE: This depends on a gpg key owned by git@runner.com. +# That is, before issuing this make target, have to do something like: +# $ gpg --batch --import ./keys/sign/github-runner.keys +simple-sig: + skopeo \ + copy \ + --debug \ + --insecure-policy \ + --sign-by git@runner.com \ + --sign-passphrase-file $(shell pwd)/keys/sign/git-runner-password.txt \ + docker-daemon:ghcr.io/$(COCO_PKG):unsig \ + docker://ghcr.io/$(COCO_PKG):simple-sig + + +# NOTE: This requires coco-keyprovider running from guest-components... +# That is, before issuing this make target, have to do something like: +# $ cd guest-components/attestation-agent/coco_keyprovider +# $ RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 +enc-unsig: unsig + OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \ + skopeo copy \ + --insecure-policy \ + --encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \ + docker-daemon:ghcr.io/$(COCO_PKG):unsig \ + docker://ghcr.io/$(COCO_PKG):enc-unsig + + +# NOTE: see enc-unsig about coco-keyprovider +# NOTE: see cosign-sig about replacing expect script +enc-cosign-sig: cosign-sig + OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \ + skopeo copy \ + --insecure-policy \ + --encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \ + docker-daemon:ghcr.io/$(COCO_PKG):cosign-sig \ + docker://ghcr.io/$(COCO_PKG):enc-cosign-sig + ./scripts/make-cosign-sig.exp $(COCO_PKG) enc-cosign-sig + + +test-container-unencrypted: + docker build \ + -t ghcr.io/$(COCO_PKG):unencrypted \ + -f dockerfiles/alpine-with-sshd/Dockerfile \ + . + docker push ghcr.io/$(COCO_PKG):unencrypted + + +# NOTE: see enc-unsig about coco-keyprovider +test-container-encrypted: test-container-unencrypted + OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \ + skopeo copy \ + --insecure-policy \ + --encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \ + docker-daemon:ghcr.io/$(COCO_PKG):unencrypted \ + docker://ghcr.io/$(COCO_PKG):encrypted + + +busybox: + docker build -t ghcr.io/$(COCO_PKG_IMGRS):busybox dockerfiles/busybox + docker push ghcr.io/$(COCO_PKG_IMGRS):busybox diff --git a/container-images/configs/ocicrypt.conf b/container-images/configs/ocicrypt.conf new file mode 100644 index 0000000..52bc66d --- /dev/null +++ b/container-images/configs/ocicrypt.conf @@ -0,0 +1,5 @@ +{ + "key-providers": { + "attestation-agent": { + "grpc": "127.0.0.1:50000" +}}} diff --git a/container-images/dockerfiles/alpine-with-sshd/Dockerfile b/container-images/dockerfiles/alpine-with-sshd/Dockerfile new file mode 100644 index 0000000..aefa66e --- /dev/null +++ b/container-images/dockerfiles/alpine-with-sshd/Dockerfile @@ -0,0 +1,21 @@ +FROM alpine:3.14 +RUN apk update && apk upgrade && apk add openssh-server + +# Use the ssh-demo image's legacy keys. To generate new ones, can do something +# like: +# RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -P "" +COPY keys/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key +COPY keys/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_ed25519_key.pub + +# A password needs to be set for login to work. An empty password is +# unproblematic as password-based login to root is not allowed. +RUN passwd -d root + +# Use the ssh-demo user/client's legacy keys. To generate new ones, can do +# something like: +# $ ssh-keygen -t ed25519 -f ccv0-ssh -P "" -C ""` +COPY keys/ssh/ccv0-ssh.pub /root/.ssh/authorized_keys +ENTRYPOINT /usr/sbin/sshd -D + +# Can connect to the running container with something like: +# $ ssh -i keys/ssh/ccv0-ssh root@ diff --git a/container-images/dockerfiles/busybox/Dockerfile b/container-images/dockerfiles/busybox/Dockerfile new file mode 100644 index 0000000..5f1b2db --- /dev/null +++ b/container-images/dockerfiles/busybox/Dockerfile @@ -0,0 +1,3 @@ +FROM busybox:1.36 + +CMD ["sh"] diff --git a/container-images/keys/encrypt/key1 b/container-images/keys/encrypt/key1 new file mode 100644 index 0000000..143d8f4 --- /dev/null +++ b/container-images/keys/encrypt/key1 @@ -0,0 +1 @@ +0È¥±²r‰´ðZõORõêUÚØëC<ÿcÖ\B \ No newline at end of file diff --git a/container-images/keys/sign/README.md b/container-images/keys/sign/README.md new file mode 100644 index 0000000..5e9f925 --- /dev/null +++ b/container-images/keys/sign/README.md @@ -0,0 +1,79 @@ +# README + + +## For cosign +Keys are generated with something like: +``` + $ COSIGN_PASSWORD=just1testing2password3 cosign generate-key-pair +``` + +Then upload them manually to the github repo's secrets. Name them like so: +``` + COSIGN_PASSWORD + COSIGN_PRIVATE_KEY + COSIGN_PUBLIC_KEY +``` + +Also a good tutorial is +[here](https://dev.to/n3wt0n/sign-your-container-images-with-cosign-github-actions-and-github-container-registry-3mni), +though the approach is a little more autoamted and has a keener eye towards +real-world usage. +The key-generation step would be more like the following, which automatically +uploads the public key, private key, and key secret to the github repo: +``` + $ GITHUB_TOKEN=ghp_... \ + COSIGN_PASSWORD=just1testing2password3 \ + cosign generate-key-pair github://portersrc/infra +``` +This may be a better realistic case, but it puts the private key in a github +secret, and I want to just keep it open and readable in the infra repo for +testing purposes. + + + + + + + +## For "simple signing" (i.e. with gpg) +The first step was to generate a key. Choose the default options for these +purposes. The command is: +``` + $ gpg --full-generate-key +``` +It has some prompts. The user for testing purposes is: +``` + Github Runner + git@runner.com + just1testing2password3 +``` + + +Then we exported it. The `--export-secret-key` option is sufficient for +exporting both the secret and public key. Example command: +``` + $ gpg --export-secret-key F63DB2A1AB7C7F195F698C9ED9582CADF7FBCC5D &> github-runner.keys +``` + +This is all that was needed (in addition to creating a .txt file with the +password to make automation with skopeo testing easy). + +The CI will import the key (using `--batch` to avoid typing the password): +``` + $ gpg --batch --import github-runner.keys +``` + + +### Other helpful commands +List public and secret keys: +``` + $ gpg --list-keys + $ gpg --list-secret-keys +``` + +Example of deleting a key (must first delete the secret one first, then the +public one): +``` + $ gpg --delete-secret-keys F63DB2A1AB7C7F195F698C9ED9582CADF7FBCC5D + $ gpg --delete-keys F63DB2A1AB7C7F195F698C9ED9582CADF7FBCC5D +``` diff --git a/container-images/keys/sign/cosign.key b/container-images/keys/sign/cosign.key new file mode 100644 index 0000000..1785a96 --- /dev/null +++ b/container-images/keys/sign/cosign.key @@ -0,0 +1,11 @@ +-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 +OCwicCI6MX0sInNhbHQiOiJYc083MWhFYVZEMEdMdDh3Q0ZmTU9ybmxKb0RQMG90 +dGY5bnJmTlZJbXVnPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJlWlZDRGI0c0RMT1NzWnZ1QjV0WjAwVjhBMkorV3gvQSJ9LCJj +aXBoZXJ0ZXh0IjoiSlhLOXFUZzNJaFlMNkd0MG9qekpyUkQ0ZXRjUkh0RmZmYUJB +L3VmZDFUNFVXQVphcytmR0NGNjFQQnlVTDljTTdONzl2MUIrSDhtd0FhZmYycUVj +S0RUM3hSYTMwcU9ET29uQUQ0WnRGT1h5K3Zwd0xkcThjT2JkQTZBUVdSREpFZzlL +ak1zUjZXNVRuSk9xL0ZHc1g2a2QzbjZNbnlZM2ptaXY1V0sveGVJeUdUVUJhVVJM +V1o2MmdWeHlCTzhtNzZRaHcrK1g5NTRqWUE9PSJ9 +-----END ENCRYPTED SIGSTORE PRIVATE KEY----- diff --git a/container-images/keys/sign/cosign.pub b/container-images/keys/sign/cosign.pub new file mode 100644 index 0000000..97c389d --- /dev/null +++ b/container-images/keys/sign/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWT07eR1HNK3D2iqHotE0c389aSTh +Lj0B39PXTBcJzJpkXPO82lLGQdc47V5HPWaPZ2Fc3DWyRoz1oWbnLlvQ5Q== +-----END PUBLIC KEY----- diff --git a/container-images/keys/sign/git-runner-password.txt b/container-images/keys/sign/git-runner-password.txt new file mode 100644 index 0000000..2912acc --- /dev/null +++ b/container-images/keys/sign/git-runner-password.txt @@ -0,0 +1 @@ +just1testing2password3 diff --git a/container-images/keys/sign/github-runner.keys b/container-images/keys/sign/github-runner.keys new file mode 100644 index 0000000000000000000000000000000000000000..cadfcb7a2b9a013aa5efec8f6cd2635825acc65e GIT binary patch literal 3772 zcmV;t4ny&k1%?D>|Dr_!3;^J&F$mzBwdrd!hFM7x&)z|-E~jNOli>rr?Js*;GCV!W zR;(8wf%jChV{}oxIHNhMz2~rZz1^EKI!p)|Z9oA>tJOS>Ld9HM&TI7^6i=Th^TXb{ z+||9K+=fK&H|MFZ)TP0#XqN9t1Cn-o8(cTw`rK(7cWm9~ZNAGDEo3(5e56S;^M)jH zm`Pc5^+#Kqer~l)26A>s*lk$-kq)0P=OeH?1I7oXAKXMhEqz`UwWsD@=33HDHx}0T z+}s0#IkE*k&o#zCXk>;9{+jhA2~&=l130-0TlE)Zb+C_YTnmp@#9>h}*50L>Z=2}T z)FsQPQ`Y2I|LZ34#P@Q&U4WAjIUy_h+$J1?1#2f$Tw~4F+XhuE?M(6PO%vx!E1Uu@Nq@SkOPM-PGq z&n_5tnl+*div&~MAT*p)@B?m7z+Pzu7{3&`-VOV*D+kA2hYbJ`0RRF12Ll2Y1zmRo zUKarS$ELTyG9ZN9|Kl^)wXw7^1vjx{9FK8nqDqFfd1aF```$=H?&v_I9*f}0Q&>w{ z0&j&keAr;+p=EXKh%Nq`45QAXM8ky`_uL@qN!$k9VB1h@w9@YCV`dTs(S|cx%xl2j zwULL;?r_JJRa9f7vW=)an=@h|2p^$WdF+fwhg&pWez}Z1OSC2QZx+~HP(Hoby|ofc&wzYuPuMd>$2k^O)It=_}DlAV-)oP=CBL6lh2nFohV|*JuKEn5gz`d*Bu|^7$Rv(Frptp zHUt0V#V?O~9Q%(=OrU)hN^b`K?8x85vD5Wx(iF8YxQS}QCb)es64&<#3cZ($b)8K9 zxBffdL>%n@zU))Im}uL%tMhCP^5(;TqLyGUdbD?1NoI!-9N0d6)PavjwTuC%x05+4 z%yj8(vldv!Qz7`I&m9!n@2hx3RN1)T(8Tmov?z+Im5V9WGqgi)yQ7~+z#JFm?Lq$! z2!H>-{2s;m8XEq(%@8HgQW0_F6{c3mK{HPrd6LR)Z-G%5c*9G~88q)bkyUi>n5yld zOeI9N^e|i2&8@^Z3iv_chop)Lp@M_G#E14(G1=NtaiY8=4n?oet!0c2&V_XjlDG9`7LVXeqL?oM(Z$1nwV&YT2| zR2bVLqMjLO_7<*t0|}tY{RXZF>x>eepGqh8iq*?69QuO1-ht_kWazZG9~i?0+%Erz zPD45182-!A>42fXrwV)pw707XLBz3NjDsJ;m0Zay#L3ywx3iQHmGjT)i4JUUnyY-w zZ{M4{CI!nl0or!kbZB*AAX0U1Ze?;HJZEWiKyr0%Ze?;VV{dIf zi2=?869EbUI2IuU_C2zpt9*YMUule<*;p*C_xsFU1p;ROqD2B50|g5S2nPZN6$%Lm z3jzcd0s{d89svRufB*^!5ZPEPt@r!PU1S~$|60aGVY-#B(nY9Y=rWbC8R7&K;bnw-N(rl zmvsPK{fm@d^7k?c63CgBTi(D&EkeCC{};OFtN=$`_IV?m!Pm~(!$zuPAf+Y|<4my! zZY3pB4YL@j)zzu%58bAdH9OXPpIx z1ZMxDMF9)|p3_E4Tu>7m_Zgdy-*hXGw1VqoTw=Y0Q=#YHO?zbx4Ift73^#m_=O~9L zj{UeB8 z#qm4I6p#PhmtANF`A+lK{IU@ZbMj_mhKp%5J{YLY7$h>4Ev>$UG0FVVYH{P*(xgN7 zqffc&Xx9yuRFC|?1M=7LV9e(S(kD1De%4-BvfuY&c2$ZtT0Y1ol+eas*8PlCgZn)Z z1S^JwkRjxQXjF@LT-@VHsT@C{8Gn5pBRN*s48LrMWB8Nu9NP_SLLtHxdUw1-umPw? zxeih!rsT~JAjLctH6TbsLYQOne>v1rU+W!IQr?a} zm${@Clt8^MC5JlR6UP_$5n*6s$Rxey7cheUQr~kQZEpn}chnC%K@|6r9Pk^m!U^Ux z@}yEh4HvZui7-n?sU27oYf(7z9X_p*WZ_kb01*KI0saRA0$LjrY@7rSsrwO4u;+7u z6+=*drEFl`BgkRG(Mo>kUd8c=SU^ja9lT|N?`oEUV#V>4&6 zqdn=Lv@%bX<1~Gll`N4QS~tm57lPy-LTXxtH@=+`$#TSgA-QULTg#=I;&LmSbmPZZ zk}hCAN*~G?wf+#joSbjzvm@Zp%oXH3#q#~4xxaYiiVr-S5GJ8gr||HqNx_xCiYNSHJ6#7e3Ma-z;bZ235OxGI#k*<%ln`+Mi1nq zgM^*b{Ya+8qa2v6pwChn4o|y{bpXH|b>)F@p$o(C=HWwlbv&JF^U+;(kEW>x&s~bT z#S^QOdhU-dC@s!zeDjLL_*>$68uFSX6L5HoNetFc2CH13qmjPI?qG$JP^!iwrLEQ1fb&FpCI9*sZHPWtwSqQDI zhUV`+et*$eD)`9t+HF=%PQ&3WU&hS68yv_~G@Gyvna#@%2FA^KIG26Zo60=UMmKR9 zJ=O5BR^AH70Z)OIarcu-?8DChM?rjJTVe1*LahtPqCwHU$e3k$?}3P zrPKB-->ctkOj@X{t53G$pP&t)BTm8UEiUbe6m*Y!2cG&}zh55|Fv@8G4)VQt4t1F6 zXS2Hzb!vUaWjA1tRVev;zYj;*7R2KiB>E1rRIVv1rf8aW3qjdliH^BibT9;%ZY2Fv z2(h7Y%`MpAqAQ};%$MZnb00@WBsYr+;G=`L)RtQdoe4=^WopxZ$#)HPlCbynt4|dR z;+-2@T~@VwEOS~>zCIdSIi^yi^mex@o8^M(0lE#`h6U{Nl0v%|M7duh{v*+Ju?*AP z2#dz+g-7Pr$MlH-wgeaf3IHG$Aq4h4vZ1Sde;HqCjGoz8EUowZ%v}WnX8)o^0vikf z3JDO|SS+pg`^;Tt@C*Qv^dsIg&JlWV9bC??wc7Hi`@pcat0rOF4s?y6>^T&ViPz_9 zQy;;bB5W}ix3VEm)N;DTe^Aue`x#Asc0clw`Dod%kFxg{^yu`#@T>Mb z*Akk!v|TfY6RcsO0nHqO?Xr@h^c%_pDPH=?+ixRgClwjU?8a&*ja_57^2aWH mPiUQPK%*zvlKnLAim@7yZ<|6mG*)oEX>ygR+;SeQHbs(GDM6wD literal 0 HcmV?d00001 diff --git a/container-images/keys/ssh/ccv0-ssh b/container-images/keys/ssh/ccv0-ssh new file mode 100644 index 0000000..0657b74 --- /dev/null +++ b/container-images/keys/ssh/ccv0-ssh @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACAfiGV2X4o+6AgjVBaY/ZR2UvZp84dVYF5bpNZGMLylQwAAAIhawtHJWsLR +yQAAAAtzc2gtZWQyNTUxOQAAACAfiGV2X4o+6AgjVBaY/ZR2UvZp84dVYF5bpNZGMLylQw +AAAEAwWYIBvBxQZgk0irFku3Lj1Xbfb8dHtVM/kkz/Uz/l2h+IZXZfij7oCCNUFpj9lHZS +9mnzh1VgXluk1kYwvKVDAAAAAAECAwQF +-----END OPENSSH PRIVATE KEY----- diff --git a/container-images/keys/ssh/ccv0-ssh.pub b/container-images/keys/ssh/ccv0-ssh.pub new file mode 100644 index 0000000..d412d78 --- /dev/null +++ b/container-images/keys/ssh/ccv0-ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+IZXZfij7oCCNUFpj9lHZS9mnzh1VgXluk1kYwvKVD diff --git a/container-images/keys/ssh/ssh_host_ed25519_key b/container-images/keys/ssh/ssh_host_ed25519_key new file mode 100644 index 0000000..59240d5 --- /dev/null +++ b/container-images/keys/ssh/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBZCWq2MBTX8Bkvdtf9htpfqTTosRzYtTQgbeHADF1k3wAAAJiKehLQinoS +0AAAAAtzc2gtZWQyNTUxOQAAACBZCWq2MBTX8Bkvdtf9htpfqTTosRzYtTQgbeHADF1k3w +AAAEAlKROeyUCGfooVH87ObAnd4FAgvSnCgiIY2R6G+PpRTVkJarYwFNfwGS921/2G2l+p +NOixHNi1NCBt4cAMXWTfAAAAFHJvb3RAYnVpbGRraXRzYW5kYm94AQ== +-----END OPENSSH PRIVATE KEY----- diff --git a/container-images/keys/ssh/ssh_host_ed25519_key.pub b/container-images/keys/ssh/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..9b9fd21 --- /dev/null +++ b/container-images/keys/ssh/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFkJarYwFNfwGS921/2G2l+pNOixHNi1NCBt4cAMXWTf root@buildkitsandbox diff --git a/container-images/scripts/make-cosign-sig.exp b/container-images/scripts/make-cosign-sig.exp new file mode 100755 index 0000000..01e488f --- /dev/null +++ b/container-images/scripts/make-cosign-sig.exp @@ -0,0 +1,16 @@ +#!/usr/bin/expect + +set COCO_PKG [lindex $argv 0] +set IMG_TAG [lindex $argv 1] + +# XXX ONLY use for testing. Private key (cosign.key) is obviously exposed. +# And the password for this key is: just1testing2password3 +spawn cosign sign --key keys/sign/cosign.key ghcr.io/$COCO_PKG:$IMG_TAG + +#By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. +expect "Are you sure you would like to continue?" + +# yes +send -- "y\n" + +expect eof