otel-sig-security-example-go

command module
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 22, 2024 License: Apache-2.0 Imports: 4 Imported by: 0

README

otel-sig-security-example-go

Example of a Go project following SIG Security's recommendations

What's in here

  • GitHub Actions creating attestations during the release phase
  • CodeQL, for static analysis

Optionally, we have examples of the following, which are NOT official recommendations at this point:

  • Pinning of versions for GitHub Actions, updated weekly by Renovate

How to verify attestations

Attestations are created as part of the release and send metadata about the build (provenance) that was used to generate that artifact. An SHA-256 checksum is used as the key for that, so that users can use a checksum of a local artifact to obtain information about the origins of that artifact.

We list here two possible ways to verify the provenance of our deliverables: a binary, and a container image.

Using GitHub CLI

Verifying the binary using GitHub CLI tool (gh):

gh attestation verify otel-sig-security-example-go_0.0.3_linux_amd64.tar.gz --owner jpkrohling

Verifying the container image using gh:

gh attestation verify oci://ghcr.io/jpkrohling/otel-sig-security-example-go:0.0.3 --owner jpkrohling

Note: jpkrohling refers to the organization, and would be open-telemetry on our actual repositories.

Sigstore's Transparency logs

The transparency logs can be queried here: Sigstore's Transparency Logs

Verifying the binary:

  • Get the sha256sum for the file: sha256sum otel-sig-security-example-go_0.0.3_linux_amd64.tar.gz
  • Open the transparency logs and get the attestation for the resulting SHA256 sum by using a query like this: sha256:0d1d5c2255d7420e2561543cf74acdd98e6800f034a64bd771f6f83d2588ca26
  • It should yield one result, with details about the process that generated that binary: Transparency Log Entry for SHA256

Verifying the container image:

  • Pull the image: docker pull ghcr.io/jpkrohling/otel-sig-security-example-go:0.0.3
  • Obtain the checksum for the image: docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/jpkrohling/otel-sig-security-example-go:0.0.3
  • As with the binary, use the checksum to query the transparency logs: Transparency Log Entry for Image SHA256

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
internal
telemetry

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.