Add sigstore support to verify signatures of plugins.

[marcofranssen]

It would be great if krew integrates cosign.

This way upon plugin install krew can verify the signatures and transparancy logs of published plugins.

In the first releases we should make this optional for plugins to have signatures, but in the long run it would be good to enforce those signatures.

[ahmetb]

As things stand today, I have a suspicion that this would help only little bit to alleviate the concerns of the users, while complicating things a lot for the 200+ plugin developers.

We have not done a complete threat modeling, but the releases for plugins currently come from repositories and the downloaded artifacts are checksummed. Therefore, they are guarded for in-place replacement of the artifacts, however they are not guarded against a malicious maintainer or a breach of write access to the repository (sigstore doesn't help with these either).

This situation is worth monitoring as the tooling and the ecosystem around sigstore evolves.

tl;dr: It can maybe help someday, but I am not seeing exactly how it can contribute to our security in a notable way today.

/kind proposal
/priority awaiting-more-evidence
/lifecycle frozen

[marcofranssen]

I'm also willing to contribute this feature. I also have experience in generating signatures, provenance and sboms for Go and Docker projects.

This is just an example, I build for a blog I wrote.

https://github.com/marcofranssen/slsa-workflow-examples/blob/main/.github/workflows/release-docker.yaml

E.g. Goreleaser has support for generating the signatures. Also the Github actions ecosystem has nice support, so I do think with a couple of lines documentation we can show how plugin developers with just a couple of lines of yaml (Github actions/goreleaser config) can add signatures to their plugins.

Let me know if a PR would be accepted introducing this feature (starting as optional ofcourse).

[ahmetb]

Hi Marco, my comment is not about the implementation, but the usefulness of it as things stand today. If there's not enough value add for users, having the code in repo is further maintenance burden on the maintainers.

[ahmetb]

related #745