chore(hardening): cosign checksum, base-image digest pinning, Jenkins secret#151
Open
lfrancke wants to merge 1 commit into
Open
chore(hardening): cosign checksum, base-image digest pinning, Jenkins secret#151lfrancke wants to merge 1 commit into
lfrancke wants to merge 1 commit into
Conversation
…ns secret - Verify the cosign RPM against a pinned sha256 before `rpm -ivh` (monitor-oci-artifacts, harbor-sbom-browser) so a tampered release asset can't be installed. HTTPS gives transport security, not artifact integrity. - Pin the ubi-minimal base images by digest (harbor-gc, nexus-gc -> ubi8 8.10; monitor-oci -> ubi9 9.6, matching harbor-sbom-browser) for reproducible builds. - jobbuilder.groovy: pass the bot password to the container via env pass-through (`--env JENKINS_PASSWORD`) instead of `--env JENKINS_PASSWORD=$VALUE`, which put the secret in the docker process arguments (visible via host `ps`).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Build / deploy hardening (F24, F25, F09)
monitor-oci-artifactsandharbor-sbom-browserdownloaded the cosign RPM over HTTPS andrpm -ivh'd it with no integrity check. Now verified against a pinned sha256 (7b6ae0f1…, confirmed against the real v3.0.2 x86_64 asset) before install.harbor-gc/nexus-gcnow pinubi8/ubi-minimal:8.10@sha256:578b2389…;monitor-ocipinsubi9/ubi-minimal:9.6@sha256:7c5495d5…(the same digestharbor-sbom-browseralready uses). Reproducible builds; matches the existing pattern in this repo.jobbuilder.groovypassed--env JENKINS_PASSWORD=$JENKINS_BOT_PASSWORD, putting the secret into thedocker runprocess arguments (visible via hostps). Switched to env pass-through (--env JENKINS_PASSWORD).Verification
hadolintclean on the changed lines (remaining DL3006/DL3041 are pre-existing — the internal rust-builder base and microdnf version pinning).registry.access.redhat.com.Notes
oci.stackable.tech/sdp/ubiX-rust-builderbuilder stage is left untagged, consistent with the rest of the repo.docker inspect; fully avoiding that (Docker secrets / files) is a larger change left out here.