Improving Fluent Bit Supply Chain Security with Cosign from OpenSSF

This is a quick follow-up to a previous post covering some of the improvements Calyptia is making as the maintainers of Fluent Bit. We have been signing the Fluent Bit official container images with Cosign for a while now, and recently we added it to the OpenSSF landscape to publicize this fact.

What is Cosign?

The OpenSSF (Open Source Software Security Foundation) provides lots of useful tooling to improve supply chain security for open source projects. One of these tools is the sigstore project which “allows developers to securely sign software artifacts” and the Cosign tooling specifically to sign OCI (container) images.

Signing the Fluent Bit container images with Cosign ensures that users can verify that the image they are using is the official one built and provided by the Fluent Bit project. Full details on verifying the signature can be found in the documentation.

This follows a similar approach to the GPG signing we (and package developers in general) have provided for native Linux packages (RPM/DEB) as well as the repository metadata itself which is required for various more secure platforms (e.g. FIPS compliance).

We encourage anyone using OSS to get projects added to the OpenSSF if they can contribute in that way.

Gitsign

Another useful project provided by the OpenSSF is the gitsign tooling. Gitsign simplifies signed commit handling and helps prevent some of the possible attacks with standard GPG keys. We would also encourage anyone using Git to adopt it.