Modern CI\/CD systems, to ease and automate satisfying the above requirements, integrate with tooling that allows the generation of the required elements in your CI\/CD process. Travis CI is no different.<\/p>\n\n\n\n
What is securely signing software? (Server Side)<\/h2>\n\n\n\n
Let\u2019s take a Docker image for example, signing is the process of digitally signing the Docker images to confirm the software author\u2019s identity, think of it as a PGP key to a degree. It provides assurance that the code has not been altered or compromised. There\u2019s two ways Image Singing can work:<\/p>\n\n\n\n
- \n
- At the client side.<\/li>\n\n\n\n
- At the server side.<\/li>\n<\/ul>\n\n\n\n
Let\u2019s take you through the process in a graphic of how it would work on the server side:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2022\/12\/210028387-b0c6504e-f690-4a7d-bd20-8b1c2e5deef7-1024x806-1.png\")
<\/figure>\n\n\n\nAny registry or runtime that claims to have a certain Docker distribution image specification support will be interacting with the various manifest types. Now that you have an idea of how it works on the server-side, it\u2019s worth taking you step-by-step on just how it is the server-side works once more:<\/p>\n\n\n\n
- \n
- The original image (sometimes called the manifest), is firstly hashed by a hashing algorithm, this is usally called \u2018salting\u2019. Salting is simply a randomly chosen bit pattern that is combined with the image before it is hashed by a hashing algorithm, the flow is as follows, if
equal<\/code> then image isnot<\/code> tampered.<\/li>\n\n\n\n- The hashed Docker image we get is then signed by the private key of the developer themselves.<\/li>\n\n\n\n
- The signed hash docker image is then packed with the original image and digital certificate, which together are also known as an image signing certificate.<\/li>\n\n\n\n
- Now, it can be uploaded or transferred to the customer.<\/li>\n<\/ul>\n\n\n\n
You can in fact query DockerHub about the signatures and signatories status of a repository with:<\/p>\n\n\n\n
docker trust inspect --pretty travisci\/signatures<\/code><\/pre>\n\n\n\nThis will list the notaries behind the image.<\/p>\n\n\n\n
Client Side<\/h2>\n\n\n\n
Now, let\u2019s go through how the process takes place on the client side:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2022\/12\/210028171-e1d8f064-90c8-42b4-974a-26ce3f6c65a4-1024x643-1.png\")
<\/figure>\n\n\n\n- \n
- The original Docker image is passed through a hashing algorithm, to get the hash of the image, in other words at this point the image is being \u201csalted.\u201d<\/li>\n\n\n\n
- The public key is extracted from the certificate and applied to the signed hash of the Docker image to extract the hash of the image, at this point you can see the notaries.<\/li>\n\n\n\n
- Both the hashes created from steps 1 and 2 are compared, and if both the hashes are the same then the image has not been changed and the signature is considered valid.<\/li>\n\n\n\n
- At the same time, the image signing certificate is checked to ensure it was signed by a trusted CA. The expiry date of the image signing certificate is checked, and the certificate is also checked against the revocation lists to ensure it is valid.<\/li>\n<\/ul>\n\n\n\n
How to sign your software with Travis CI<\/h2>\n\n\n\n
Travis CI offers the ability to sign your software using the cosign<\/a><\/em> tool and a key.<\/p>\n\n\n\n
Cosign<\/em> is a part of the Sigstore project<\/a>, which helps to ensure the tooling required for the Secure Software Supply Chain.<\/p>\n\n\n\n
Have a dedicated key for signing the software ready<\/h2>\n\n\n\n
To sign your software with Travis CI, you need to have a dedicated key ready. To obtain a dedicated key, you have two options:<\/p>\n\n\n\n
- \n
- You can upload a passwordless SSH key in PEM format to Travis CI account (either personal or organization settings) – there\u2019s a new option called \u2018SSH Key for build jobs\u2019 in the settings tab; scroll down to the bottom.<\/li>\n\n\n\n
- The second option is, you can have a self-managed Hashicorp Vault, to which Travis CI can have access and store key there, available for obtaining by a user associated with Travis CI.<\/li>\n<\/ul>\n\n\n\n
Sign the container image during the build job<\/h2>\n\n\n\n
If you are using a key uploaded to Travis CI, use the following examples:<\/p>\n\n\n\n
keys:\n - SSH_KEY_FOR_SIGNING # must match the key identifier set in the UI<\/code><\/pre>\n\n\n\nenv:\n secret: \u201c...\u201d # encrypted COSIGN_PASSWORD=... string; see cosign doc<\/code><\/pre>\n\n\n\nbefore_script: \n - travis_key SSH_KEY_FOR_SIGNING cosign.key # cosign requires the key to be in a file<\/code><\/pre>\n\n\n\nscript: \n - cosign sign --key cosign.key [whatever_the_image_identifier_is]<\/code><\/pre>\n\n\n\nIf you prefer to obtain the key directly from Hashicorp Vault during the build job, try the following:<\/p>\n\n\n\n
vault:\n api_url: [single value endpoint address:port] #mandatory\n token:\n secure: \u201c...\u201d #mandatory\n # This will make the default VAULT_ADDR and VAULT_TOKEN available for cosign.<\/code><\/pre>\n\n\n\nscript:\n - cosign sign --key hashivault:\/\/some-key-identifier [whatever_the_image_identifier_is]<\/code><\/pre>\n\n\n\nDeploy the release or container image<\/h2>\n\n\n\n
Once the file or container image is signed, you can deploy it to the designated location, much like you did up until now.<\/p>\n\n\n\n
Considerations<\/h2>\n\n\n\n
Since the Securely Signing Software is meant to authenticate the release, it is very important to protect the key used for signing. There are certain security considerations, especially for cloud CI\/CD systems, which are a surface of attack for malicious actors. The details will vary between CI\/CD providers, e.g., depending on whether the build logs are public or private, the exact mechanisms used to deliver a key to the jobs, access control, and specific settings.<\/p>\n\n\n\n
Please make sure you familiarize yourself with the respective section of our documentation page for Securely Signing Software whenever you consider securely signing your software using Travis CI.<\/p>\n\n\n\n
Read more:<\/p>\n\n\n\n
- \n
- Securely Signing Software documentation page<\/a><\/li>\n\n\n\n
- Hashicorp Vault Integration documentation<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Software Supply Chain security is the act of securing the components, activities, and practices involved in creating and deploying software. One of these practices is digitally signing the software by the developers before releasing it. The digital certificate serves the purpose of ensuring that the software has not been tampered with and the receiver can […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_breakdance_hide_in_design_set":false,"_breakdance_tags":"","footnotes":""},"categories":[16],"tags":[7,19,20,5],"class_list":["post-238121","post","type-post","status-publish","format-standard","hentry","category-news","tag-community","tag-feature","tag-infrastructure","tag-news"],"_links":{"self":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/238121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/comments?post=238121"}],"version-history":[{"count":1,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/238121\/revisions"}],"predecessor-version":[{"id":240069,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/238121\/revisions\/240069"}],"wp:attachment":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/media?parent=238121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/categories?post=238121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/tags?post=238121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Hashicorp Vault Integration documentation<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
- Securely Signing Software documentation page<\/a><\/li>\n\n\n\n
- The original image (sometimes called the manifest), is firstly hashed by a hashing algorithm, this is usally called \u2018salting\u2019. Salting is simply a randomly chosen bit pattern that is combined with the image before it is hashed by a hashing algorithm, the flow is as follows, if