Universal Blue base images are now verified during the build process!

General
1

I am excited to announce that over the weekend there was a significant security enhancement to Universal Blue’s image supply chain! As of December 24th, Ublue images built downstream of main now verify the signature of their base image.

Last week, I started working on cosign-action, a set of actions looking to simplify the process of using sigstore’s ‘cosign’ in GitHub workflows. So far this includes two actions - verify and sign.

Verify

The verify action can verify any image against either a public key or certificate. For example, Bluefin DX images currently benefit from both as they verify the base image they are building from using their respective public keys and verify the Chainguard images pulled from via their certificate.

Sign

The ‘sign’ action seeks to simplify the process of signing an image with ‘cosign’ after it has been pushed to the container registry. Incorporating signing in your project will provide a significant boost in security, allowing end users to verify the image before pulling it in.

FAQ

Why?

It is completely possible for any project not signing or verifying their containers that a malicious actor may find a way to tamper with the base container pulled in by a downstream one.

Even if the upstream container wasn’t signed, it would still be pulled in by the downstream container building from it that, regardless of being signed or unsigned, now contains the contents of the malicious base container. That’s why a chain of verification is important.

After all, a chain is only as strong as its weakest link.

What does this mean for users?

The chances of the image you’re running having been tampered with by a malicious actor are significantly lower. Up to now, to ensure the integrity of the image you are running, you would have had to of checked the signature of every image being pulled from during the build process. Now this isn’t necessary as our CI handles this for us.

Why not main images?

Unfortunately, at this time, the Fedora images upstream of main are not currently signed using sigstore. I’d imagine this won’t be the case for much longer.

Why not sign images while pushing them to the container registry?

There is ongoing work for that here in Red Hat’s push-to-registry action, though there is no timeline for when this will this will land.

Happy holidays!

7 Likes