feat: secure build phase 1 — cosign cell-side image verification (warn default) + Dockerfile validation
Unit Tests / test (push) Successful in 13m28s
Unit Tests / test (push) Successful in 13m28s
- config/cosign/cosign.pub: public verification key committed to repo (safe); cosign private key lives in /home/roof/.pic-secrets/ and is NEVER committed - api/config_manager.py: image_verification config block (modes: off|warn|enforce, default: warn) so existing deployments are unaffected until images are signed - api/service_composer.py: cosign verify before pull/up; enforce aborts the operation, warn logs and proceeds, off skips entirely; also fixes the prior unsafe proceed-on-pull-failure path - api/service_store_manager.py: store-image digest requirement (warn default, reject under enforce) - api/Dockerfile: cosign binary copied from the official cosign image - docker-compose.yml: config/cosign/ bind-mounted into cell-api container - install.sh: ensure/verify bundled cosign pubkey on new cell installs - api/manifest_validator.py: validate_build_context() — Dockerfile lint - tests: full coverage for config modes, composer verify paths, store digest guard, and validate_build_context Verification defaults to warn so nothing breaks in production until images are signed (phase 2). Private key stored outside git at /home/roof/.pic-secrets/. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -306,6 +306,21 @@ class ServiceStoreManager(BaseServiceManager):
|
||||
if not ok2:
|
||||
return {'ok': False, 'errors': errs2}
|
||||
|
||||
# Digest-pin requirement is mode-dependent: the static validators
|
||||
# above only warn on a missing @sha256: pin (so installs keep
|
||||
# working until the publish pipeline writes digests). Under
|
||||
# enforce, a store image without a digest pin is fatal.
|
||||
mode = self.config_manager.get_image_verification_mode()
|
||||
image = manifest.get('image', '')
|
||||
if mode == 'enforce' and image and '@sha256:' not in image:
|
||||
return {
|
||||
'ok': False,
|
||||
'error': (
|
||||
f'image {image!r} must be digest-pinned (@sha256:) '
|
||||
'under image_verification mode "enforce"'
|
||||
),
|
||||
}
|
||||
|
||||
# Dependency check
|
||||
if self.service_composer is not None:
|
||||
err = self.service_composer._resolve_requires(manifest, installed)
|
||||
|
||||
Reference in New Issue
Block a user