feat: add sigstore-policy-tester extension

To enable verifying of every container image run through containerd

Author: BobyMCbobs

Makefile

@@ -107,6 +107,7 @@ TARGETS += realtek-firmware
 TARGETS += revpi-firmware
 TARGETS += spin
 TARGETS += stargz-snapshotter
+TARGETS += containerd-image-verifier-sigstore
 TARGETS += tailscale
 TARGETS += tenstorrent
 TARGETS += thunderbolt

tools/containerd-image-verifier-sigstore/10-containerd-image-verifier.part

@@ -0,0 +1,5 @@
+[plugins]
+  [plugins."io.containerd.image-verifier.v1.bindir"]
+    bin_dir = "/usr/local/bin/containerd-image-verifier"
+    max_verifiers = 10
+    per_verifier_timeout = "10s"

tools/containerd-image-verifier-sigstore/README.md

@@ -0,0 +1,47 @@
+# containerd-image-verifier-sigstore extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Usage
+
+```yaml
+machine:
+  files:
+    - content: |
+        apiVersion: policy.sigstore.dev/v1alpha1
+        kind: ClusterImagePolicy
+        metadata:
+          name: system
+        spec:
+          images:
+          - glob: "**"
+          authorities:
+          - keyless:
+              url: https://fulcio.sigstore.dev
+              identities:
+              - issuer: https://accounts.google.com
+                subject: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
+            ctlog:
+              url: https://rekor.sigstore.dev
+      path: /var/local/etc/containers/sigstore/kubernetes.yaml
+      op: create
+    - content: |
+        apiVersion: policy.sigstore.dev/v1alpha1
+        kind: ClusterImagePolicy
+        metadata:
+          name: system
+        spec:
+          images:
+          - glob: "**"
+          authorities:
+          - keyless:
+              identities:
+              - issuer: https://accounts.google.com
+                subjectRegExp: "@siderolabs\.com$"
+      path: /var/local/etc/containers/sigstore/siderolabs.yaml
+      op: create
+```
+
+**Important note: add all other identities and keys within the ClusterImagePolicy above for target container images**

tools/containerd-image-verifier-sigstore/manifest.yaml

@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: containerd-image-verifier-sigstore
+  version: "$VERSION"
+  author: Caleb Woodbine
+  description: |
+    Verify images signed with Sigstore against ClusterImagePolicy declarations
+  compatibility:
+    talos:
+      version: ">= v1.9.0"

tools/containerd-image-verifier-sigstore/pkg.yaml

@@ -0,0 +1,75 @@
+name: containerd-image-verifier-sigstore
+variant: scratch
+shell: /bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/sigstore/policy-controller/archive/refs/tags/{{ .SIGSTORE_POLICY_TESTER_VERSION }}.tar.gz
+        destination: sigstore-policy-controller.tar.gz
+        sha256: {{ .SIGSTORE_POLICY_TESTER_VERSION_SHA256 }}
+        sha512: {{ .SIGSTORE_POLICY_TESTER_VERSION_SHA512 }}
+      - url: https://github.com/BobyMCbobs/containerd-image-verifier-sigstore/archive/refs/tags/{{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION }}.tar.gz
+        destination: containerd-image-verifier-sigstore.tar.gz
+        sha256: {{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION_SHA256 }}
+        sha512: {{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION_SHA512 }}
+    env:
+      GOPATH: /tmp/go
+    cachePaths:
+      - /.cache/go-build
+      - /tmp/go/pkg
+  - network: default
+    prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+      - |
+        mkdir -p ${GOPATH}/src/github.com/sigstore/policy-controller
+
+        tar -xzf sigstore-policy-controller.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/sigstore/policy-controller
+      - |
+        mkdir -p ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore
+
+        tar -xzf containerd-image-verifier-sigstore.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore
+      - |
+        cd ${GOPATH}/src/github.com/sigstore/policy-controller
+        go mod download
+      - |
+        cd ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore
+        go mod download
+  - network: none
+    build:
+      - |
+        cd ${GOPATH}/src/github.com/sigstore/policy-controller
+
+        mkdir ./bin
+
+        CGO_ENABLED=0 go build -o ./bin/sigstore-policy-tester ./cmd/tester
+      - |
+        cd ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore
+
+        mkdir ./bin
+
+        CGO_ENABLED=0 go build -ldflags="-X 'main.DefaultPolicyDirPath=/var/local/etc/containers/sigstore/'" -o ./bin/containerd-image-verifier-sigstore .
+    install:
+      - |
+        cd ${GOPATH}/src/github.com/sigstore/policy-controller
+        mkdir -p /rootfs/usr/local/bin/
+        cp -av bin/sigstore-policy-tester /rootfs/usr/local/bin/
+      - |
+        cd ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore
+        mkdir -p /rootfs/usr/local/bin/containerd-image-verifier/
+        cp -av bin/containerd-image-verifier-sigstore /rootfs/usr/local/bin/containerd-image-verifier/
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/10-containerd-image-verifier.part /rootfs/etc/cri/conf.d/
+    test:
+      - |
+        mkdir -p /extensions-validator-rootfs
+        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
+        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
+        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /

tools/containerd-image-verifier-sigstore/vars.yaml

@@ -0,0 +1,2 @@
+VERSION: "{{ .SIGSTORE_POLICY_TESTER_VERSION }}"
+CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION: "{{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION }}"

tools/vars.yaml

@@ -6,3 +6,11 @@ LIBNVME_SHA512: 96a1bbd6cea1e77381254e242e781b023416abfbf44c82a0aa6eb0b316b30316
 NVME_CLI_VERSION: v2.14
 NVME_CLI_SHA256: ff689ec0dabd32e8077a9fc0b2732067b08dedeef471aadea0136ae210f6edd1
 NVME_CLI_SHA512: 7f600ee719f06283e136427a0f9eb0b22412f7f4549c774768caff54150207ba87e2a431ea1569e5ed86a554aecd23c00c4e8c351aa0168a81807c86a0cb2edc
+# renovate: datasource=github-releases depName=sigstore/policy-tester
+SIGSTORE_POLICY_TESTER_VERSION: v0.12.0
+SIGSTORE_POLICY_TESTER_VERSION_SHA256: f0a3545341b426a77452f58be10f01d194e157e8232bf512967fd36984dd096e
+SIGSTORE_POLICY_TESTER_VERSION_SHA512: fb542d15b0b269e505888e41ba7af456e489d7592dca459b193e02ab59cbadd64c9bdcf23ef0323143f8c0905c2aecafad705bd56a31905f3e63dd311d022be1
+# renovate: datasource=github-releases depName=sigstore/policy-tester
+CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION: v0.2.0
+CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION_SHA256: aaa04e076733dcc08a20d7636be588846dfbf371f55fb23e82d3c0440779972c
+CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION_SHA512: cf62552a2842536fd07337eb7cdfb36afa6c795c99cb4eebdcaef0251848f4db2a763af21731d81af9fb6b46ccd4d604ca37c8ef7eaaad0d017722bb66cd2a4e