feat: add sigstore-policy-tester extension

To enable verifying of every container image run through containerd

Makefile

@@ -93,6 +93,7 @@ TARGETS += qlogic-firmware
 TARGETS += realtek-firmware
 TARGETS += spin
 TARGETS += stargz-snapshotter
+TARGETS += sigstore-policy-tester
 TARGETS += tailscale
 TARGETS += thunderbolt
 TARGETS += uinput

tools/sigstore-policy-tester/README.md

@@ -0,0 +1,44 @@
+# sigstore-policy-tester extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Usage
+
+```yaml
+machine:
+  files:
+    - content: |
+        [plugins]
+          [plugins."io.containerd.image-verifier.v1.bindir"]
+            bin_dir = "/usr/local/bin/containerd-image-verifier"
+            max_verifiers = 10
+            per_verifier_timeout = "10s"
+      path: /etc/cri/conf.d/20-customization.part
+      op: create
+    - content: |
+        apiVersion: policy.sigstore.dev/v1alpha1
+        kind: ClusterImagePolicy
+        metadata:
+          name: system
+        spec:
+          images:
+          - glob: "**"
+          authorities:
+          - keyless:
+              url: https://fulcio.sigstore.dev
+              identities:
+              - issuer: https://accounts.google.com
+                subject: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
+            ctlog:
+              url: https://rekor.sigstore.dev
+          - keyless:
+              identities:
+              - issuer: https://accounts.google.com
+                subjectRegExp: "@siderolabs\.com$"
+      path: /etc/containers/sigstore/policy.yaml
+      op: create
+```
+
+**Important note: add all other identities and keys within the ClusterImagePolicy above for target container images**

tools/sigstore-policy-tester/manifest.yaml

@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: sigstore-policy-tester
+  version: "$VERSION"
+  author: Sigstore Authors
+  description: |
+    Verify images signed against a policy.yaml
+  compatibility:
+    talos:
+      version: ">= v0.12.0"

tools/sigstore-policy-tester/pkg.yaml

@@ -0,0 +1,69 @@
+name: sigstore-policy-tester
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/sigstore/policy-controller/archive/refs/tags/{{ .SIGSTORE_POLICY_TESTER_VERSION }}.tar.gz
+        destination: sigstore-policy-controller.tar.gz
+        sha256: f0a3545341b426a77452f58be10f01d194e157e8232bf512967fd36984dd096e
+        sha512: fb542d15b0b269e505888e41ba7af456e489d7592dca459b193e02ab59cbadd64c9bdcf23ef0323143f8c0905c2aecafad705bd56a31905f3e63dd311d022be1
+      - url: https://github.com/BobyMCbobs/containerd-image-verifier-sigstore/archive/refs/tags/{{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION }}.tar.gz
+        destination: containerd-image-verifier-sigstore.tar.gz
+        sha256: e62231ad2a45027fe6c194345a00eddd9f7d65ad1e231a7ed182e534feee1d6d
+        sha512: a7f315a03c52a23fabf8a1783f3ec38a2961a714bd00e56cc67bcce89155ddeed299dd080787c09bd50dc083da58df7addecf54f2e95b5119037de9752cf096e
+    env:
+      GOPATH: /go
+    cachePaths:
+      - /.cache/go-build
+      - /go/pkg
+    prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+      - |
+        mkdir -p ${GOPATH}/src/github.com/sigstore/policy-controller
+
+        tar -xzf sigstore-policy-controller.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/sigstore/policy-controller
+      - |
+        mkdir -p ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore
+
+        tar -xzf containerd-image-verifier-sigstore.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore
+    build:
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+        cd ${GOPATH}/src/github.com/sigstore/policy-controller
+
+        mkdir ./bin
+
+        CGO_ENABLED=0 go build -o ./bin/sigstore-policy-tester ./cmd/tester
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+        cd ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore
+
+        mkdir ./bin
+
+        CGO_ENABLED=0 go build -o ./bin/containerd-image-verifier-sigstore .
+    install:
+      - |
+        cd ${GOPATH}/src/github.com/sigstore/policy-controller
+        mkdir -p /rootfs/usr/local/bin/
+        cp -av bin/sigstore-policy-tester /rootfs/usr/local/bin/
+
+      - |
+        cd ${GOPATH}/src/github.com/BobyMCbobs/containerd-image-verifier-sigstore
+        mkdir -p /rootfs/usr/local/bin/containerd-image-verifier/
+        cp -av bin/containerd-image-verifier-sigstore /rootfs/usr/local/bin/containerd-image-verifier/
+
+    test:
+      - |
+        mkdir -p /extensions-validator-rootfs
+        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
+        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
+        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /

tools/sigstore-policy-tester/vars.yaml

@@ -0,0 +1,2 @@
+VERSION: "{{ .SIGSTORE_POLICY_TESTER_VERSION }}"
+CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION: "{{ .CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION }}"

tools/vars.yaml

@@ -2,3 +2,7 @@
 LIBNVME_VERSION: v1.11.1
 # renovate: datasource=github-releases depName=linux-nvme/nvme-cli
 NVME_CLI_VERSION: v2.11
+# renovate: datasource=github-releases depName=sigstore/policy-tester
+SIGSTORE_POLICY_TESTER_VERSION: v0.12.0
+# renovate: datasource=github-releases depName=sigstore/policy-tester
+CONTAINERD_IMAGE_VERIFIER_SIGSTORE_VERSION: v0.1.0