roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity

feat: secure build phase 1 — cosign cell-side image verification (warn default) + Dockerfile validation
Unit Tests / test (push) Successful in 13m28s
Details

Browse Source 
- config/cosign/cosign.pub: public verification key committed to repo (safe);
  cosign private key lives in /home/roof/.pic-secrets/ and is NEVER committed
- api/config_manager.py: image_verification config block (modes: off|warn|enforce,
  default: warn) so existing deployments are unaffected until images are signed
- api/service_composer.py: cosign verify before pull/up; enforce aborts the
  operation, warn logs and proceeds, off skips entirely; also fixes the prior
  unsafe proceed-on-pull-failure path
- api/service_store_manager.py: store-image digest requirement (warn default,
  reject under enforce)
- api/Dockerfile: cosign binary copied from the official cosign image
- docker-compose.yml: config/cosign/ bind-mounted into cell-api container
- install.sh: ensure/verify bundled cosign pubkey on new cell installs
- api/manifest_validator.py: validate_build_context() — Dockerfile lint
- tests: full coverage for config modes, composer verify paths, store digest
  guard, and validate_build_context

Verification defaults to warn so nothing breaks in production until images are
signed (phase 2). Private key stored outside git at /home/roof/.pic-secrets/.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-06-11 03:53:47 -04:00
parent 8d904b1b8f
commit 238db60702
12 changed files with 622 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
install.sh
+11
View File
@@ -353,6 +353,17 @@ fi
sudo git config --system --add safe.directory "$PIC_DIR" 2>/dev/null || true
# The cosign public key ships in the repo and is bind-mounted into cell-api so
# store-service image signatures can be verified offline. It is checked in
# (config/cosign/cosign.pub), so the clone above should already provide it;
# warn loudly if it is somehow missing rather than silently skipping verify.
COSIGN_PUBKEY="${PIC_DIR}/config/cosign/cosign.pub"
if [ -f "$COSIGN_PUBKEY" ]; then
log_ok "cosign public key present at ${COSIGN_PUBKEY}"
else
log_warn "cosign public key missing at ${COSIGN_PUBKEY} — image signature verification will be unavailable"
fi
# ---------------------------------------------------------------------------
# Step 5 — Run make install
# ---------------------------------------------------------------------------