This contains the content used to demo sigstore at the OpenShift Commons Briefing on March 30, 2021; a recording of this can be found at https://www.youtube.com/watch?v=yKrbUGSwrEw.

Slides from the presentation can be seen at: https://speakerdeck.com/redhatopenshift/secure-your-open-source-supply-chain-with-sigstore.

From OpenShift Operator Hub, install OpenShift Pipelines Operator.

Note: The Tekton resources in this repo main branch work with OpenShift Pipelines 1.2.3. This is the version for OCP 4.6.

If you have OCP 4.7, you have to specifically select the OCP 4.6 channel to install Pipelines 1.2.3.

Create a project/namespace called sigstore-demo-gk

oc new-project sigstore-demo-gk

Add pipeline service account to the priveleged scc:

oc adm policy add-scc-to-user privileged -z pipeline

Create the registry-credentials secret:

kubectl create secret docker-registry registry-credentials --docker-server=https://index.docker.io/v2/  --docker-username=gkovan [email protected] --docker-password=my-fake-password -n sigstore-demo-gk

Patch the pipeline service account with the image pull secret:

kubectl patch serviceaccount pipeline \
  -p "{\"imagePullSecrets\": [{\"name\": \"registry-credentials\"}]}" -n sigstore-deme-gk

Pull the base image:

docker pull registry.access.redhat.com/ubi8/ubi-minimal:8.3

Create a tag to of the image to reference the dockerhub repo:

docker tag registry.access.redhat.com/ubi8/ubi-minimal:8.3  gkovan/ubi8-minimal:8.3

Push the base image to image registry

docker push gkovan/ubi8-minimal:8.3

Sign the image

export COSIGN_EXPERIMENTAL=1

cosign sign -a mode=keyless gkovan/ubi8-minimal:8.3

Verify the image is signed

cosign verify gkovan/ubi8-minimal:8.3

oc apply -f ./config/tekton/task

oc apply -f ./config/tekton/pipeline

oc apply -f ./config/tekton/trigger

Once the el-sigstore-demo-app service has been created by Tekton, expose it by running:

oc expose service el-sigstore-demo-app

Open GitHub repo (Go to Settings > Webhooks) click on Add webhook. Under Payload URL, paste the output of:

echo $(oc get route el-sigstore-demo-app --template='http://{{.spec.host}}')

Select Content type as application/json. Add secret eg: sigstore. Click on Add Webhook.

Now when we perform any push event on the repo, it will trigger the pipeline with a new pipeline run. To test it, run:

git commit -m "empty-commit" --allow-empty && git push origin main