Skip to content

chore(hardening): cosign checksum, base-image digest pinning, Jenkins secret#151

Open
lfrancke wants to merge 1 commit into
mainfrom
chore/build-hardening
Open

chore(hardening): cosign checksum, base-image digest pinning, Jenkins secret#151
lfrancke wants to merge 1 commit into
mainfrom
chore/build-hardening

Conversation

@lfrancke

Copy link
Copy Markdown
Member

Build / deploy hardening (F24, F25, F09)

  • cosign RPM integrity (F24)monitor-oci-artifacts and harbor-sbom-browser downloaded the cosign RPM over HTTPS and rpm -ivh'd it with no integrity check. Now verified against a pinned sha256 (7b6ae0f1…, confirmed against the real v3.0.2 x86_64 asset) before install.
  • Base-image digest pinning (F25)harbor-gc/nexus-gc now pin ubi8/ubi-minimal:8.10@sha256:578b2389…; monitor-oci pins ubi9/ubi-minimal:9.6@sha256:7c5495d5… (the same digest harbor-sbom-browser already uses). Reproducible builds; matches the existing pattern in this repo.
  • Jenkins secret exposure (F09)jobbuilder.groovy passed --env JENKINS_PASSWORD=$JENKINS_BOT_PASSWORD, putting the secret into the docker run process arguments (visible via host ps). Switched to env pass-through (--env JENKINS_PASSWORD).

Verification

  • hadolint clean on the changed lines (remaining DL3006/DL3041 are pre-existing — the internal rust-builder base and microdnf version pinning).
  • The pinned checksum verifies successfully against the actual downloaded RPM.
  • Base-image digests resolved live from registry.access.redhat.com.

Notes

  • The internal oci.stackable.tech/sdp/ubiX-rust-builder builder stage is left untagged, consistent with the rest of the repo.
  • Passing secrets as container env still exposes them via docker inspect; fully avoiding that (Docker secrets / files) is a larger change left out here.

…ns secret

- Verify the cosign RPM against a pinned sha256 before `rpm -ivh`
  (monitor-oci-artifacts, harbor-sbom-browser) so a tampered release asset
  can't be installed. HTTPS gives transport security, not artifact integrity.
- Pin the ubi-minimal base images by digest (harbor-gc, nexus-gc -> ubi8 8.10;
  monitor-oci -> ubi9 9.6, matching harbor-sbom-browser) for reproducible builds.
- jobbuilder.groovy: pass the bot password to the container via env pass-through
  (`--env JENKINS_PASSWORD`) instead of `--env JENKINS_PASSWORD=$VALUE`, which
  put the secret in the docker process arguments (visible via host `ps`).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant