gcloud container binauthz - manage attestations for Binary Authorization on Google Cloud Platform
gcloud container binauthz GROUP | COMMAND [GCLOUD_WIDE_FLAG ...]
Binary Authorization is a feature which allows binaries to run on Google Cloud Platform only if they are appropriately attested. Binary Authorization is configured by creating a policy.
This example assumes that you have created a keypair using gpg, usually by running gpg --gen-key ..., with Name-Email set to attesting_user@example.com for your attestor.
First, some convenience variables for brevity:
ATTESTING_USER="attesting_user@example.com" DIGEST="000000000000000000000000000000000000000000000000000000000000abcd" ARTIFACT_URL="gcr.io/example-project/example-image@sha256:${DIGEST}" ATTESTOR_NAME="projects/example-project/attestors/canary"
Export your key's fingerprint (note this may differ based on version and implementations of gpg):
gpg \ --with-colons \ --with-fingerprint \ --force-v4-certs \ --list-keys \ "${ATTESTING_USER}" | grep fpr | cut --delimiter=':' --fields 10
This should produce a 40 character, hexidecimal encoded string. See https://tools.ietf.org/html/rfc4880#section-12.2 for more information on key fingerprints.
Create your attestation payload:
gcloud container binauthz create-signature-payload \ --artifact-url="${ARTIFACT_URL}" \ > example_payload.txt
Create a signature from your attestation payload:
gpg \ --local-user "${ATTESTING_USER}" \ --armor \ --clearsign \ --output example_signature.pgp \ example_payload.txt
Upload the attestation:
gcloud container binauthz attestations create \ --public-key-id=${KEY_FINGERPRINT} \ --signature-file=example_signature.pgp \ --artifact-url="${ARTIFACT_URL}" \ --attestor=${ATTESTOR_NAME}
List the attestation by artifact URL. --format can be passed to output the attestations as json or another supported format:
gcloud container binauthz attestations list \ --artifact-url="${ARTIFACT_URL}" \ --format=yaml
--- - | -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 ... SNIP ... -----END PGP PUBLIC KEY BLOCK----- - | -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ... SNIP ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 ... SNIP ... -----END PGP SIGNATURE-----
List all artifact URLs on the project for which Container Analysis Occurrences exist. This list includes the list of all URLs with BinAuthz attestations:
gcloud container binauthz attestations list
Listing also works for kind=ATTESTATION_AUTHORITY attestations, just pass the attestor:
gcloud container binauthz attestations list \ --artifact-url="${ARTIFACT_URL}" \ --attestor=${ATTESTOR_NAME} \ --format=yaml
...
These flags are available to all commands: --help.
Run $ gcloud help for details.
GROUP is one of the following:
- attestations
Create and manage Google Binary Authorization attestations.
- attestors
Create and manage Google Binary Authorization Attestors.
- policy
Create and manage Google Binary Authorization policies.
COMMAND is one of the following:
- create-signature-payload
Create a JSON container image signature object.
These variants are also available:
$ gcloud alpha container binauthz
$ gcloud beta container binauthz