-
Notifications
You must be signed in to change notification settings - Fork 500
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix unsigned patch releases #2962
Comments
/priority critical-urgent |
The scope of this issue is now expanded to fix the March patches which got rate limited when calling the registry. This is a new problem and we now have to maneuver around the AR registry limits [slack ref]. |
/assign |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/retitle Fix unsigned patch releases |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/lifecycle frozen |
@puerco This project seems interesting to me. I really want to work on this project .Is there any prerequisite task that needs to be done ? |
While cutting the February patch releases, the image promoter got rate limited by Fulcio, the sigstore certificate authority (see this long thread in slack for more context). This caused the signatures in the published images to be in an inconsistent state: some images are signed, some not, and some don't have their signatures replicated.
In order to fix the problem we need to check the signatures of images, ensure they are signed with the expected identity, and that they are correctly replicated. Then, based on that there are two actions to be taken:
After manually fixing these, we can move the promoter subcommand to audit the signatures in the future.
Justification
The signatures on our images are the stamp of approval to show that the community approved them to be published to the production registries. Any signed image can be traced back to a PR in a manifest where the change was signed off by the relevant community members. We can always sign them after publishing by ensuring we are signing on the correct digests based on the manifest data.
Action Plan
--dry-run
to check what it would dokpromo sigcheck: Verify and fix missing image signatures kubernetes-sigs/promo-tools#745
Signature Check: Check Expected Identity in Certificate kubernetes-sigs/promo-tools#767
cip: Expose signing concurrency as flags, default to 50 kubernetes-sigs/promo-tools#770
Rate limit crane.Copy() operations kubernetes-sigs/promo-tools#771
/cc @cpanato @kubernetes/release-managers
The text was updated successfully, but these errors were encountered: