9. Supply chain security#
This section describes the supply chain security measures for Nubus for Kubernetes. Nubus implements industry-standard practices to ensure the integrity and authenticity of delivered artifacts, including cryptographic signing of container images and Helm Charts, as well as Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX) information.
Added in version 1.16.0.
For more information about the technologies and standards used in Nubus supply chain security, see the following resources.
- CycloneDX
For the complete CycloneDX specification and format documentation, see https://cyclonedx.org/.
- Cosign and Sigstore
For documentation about cosign and the Sigstore project, see the Sigstore documentation and the Cosign GitHub repository.
- OCI Image Specification
For information about the OCI Image Manifest Specification, see the OCI Image Spec.
- Helm Chart Signing
For information about Helm Chart provenance and signing, see the Helm documentation.
- VEX Specification
For more information about Vulnerability Exploitability eXchange, see the CISA VEX documentation.
9.1. Artifact types and signing#
Univention Nubus delivers the following primary types of artifacts to customers. The signing methods ensure that you can verify the authenticity and integrity of artifacts before deploying them to your environment.
- Container images
Container images contain the application components that run in your Kubernetes cluster. Univention signs the images using cosign.
- Helm Charts
Helm Charts define the deployment configuration for Nubus components in Kubernetes. Univention signs Helm Charts using Helm’s provenance and signing mechanism, which uses GPG.
You can use the following public keys to verify the signatures of Nubus artifacts.
- GPG public key for Helm Charts
Download the
GPG public keyto verify Helm Chart signatures. For the fingerprint, see Listing 9.1.01AA F908 9611 02B4 19AC 8DB9 5252 D5CD 34B7 1EE4
- Cosign public key for container images and attestations
Download the
Cosign public keyor copy it from Listing 9.2 to verify container image signatures and attestations.-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwBJlghBY3tK2oKlcr5ztYpy25UD/ 5zNuNfZ3xnZnsAfNqCEimXcmRZ3u6/TOCK5vuZS0ZCMfbsIUy3Qui/zsHw== -----END PUBLIC KEY-----
9.2. Verify Helm chart signatures#
To verify the signature of a Nubus Helm chart, use helm and apply the following steps:
Download the GPG public key from GPG public key for Helm Charts.
Convert the GPG public key to binary keyring format with the command in Listing 9.3.
$ gpg \ --dearmor < nubus-for-kubernetes-gpg-public-key.asc \ > nubus-keyring.gpg
Verify the Helm chart signature with the command in Listing 9.4.
$ helm pull \ --version 1.16.0 \ --verify \ --keyring ./nubus-keyring.gpg \ oci://artifacts.software-univention.de/nubus/charts/nubus
See also
Several helm commands support signature verification, notably helm install --verify. For more information, see the Helm provenance and integrity documentation.
9.3. Verify container images#
This section describes how to verify container image signatures and view supply chain information using cosign.
9.3.1. Prepare the environment#
Before you can verify signatures or view attestations, you need to prepare the environment with the following steps:
Download the Cosign public key from Cosign public key for container images and attestations and save it as
nubus-cosign.pub.Set the container image name as an environment variable with the command in Listing 9.5.
$ export IMAGE_NAME="<NAME OF THE IMAGE>:<VERSION OF THE IMAGE>"
9.3.2. Verify signatures#
To verify the signature of a Nubus container image, use cosign with the public key from the previous Prepare the environment step. Run the command in Listing 9.6. A successful verification provides information about the signature, including the artifact and its digest.
$ cosign verify \
--key nubus-cosign.pub \
--insecure-ignore-tlog=true \
"$IMAGE_NAME"
Note
The command in Listing 9.6 requires
the --insecure-ignore-tlog=true flag for container images of Nubus for Kubernetes 1.16.x,
because the image signatures aren’t available in the public Sigstore transparency log.
9.3.3. View SBOM information#
The Software Bill of Materials (SBOM) contains detailed information about all components, including component names and versions, package URLs (PURL) for identification, dependency relationships, license information, and component hashes.
To view and verify the SBOM attestation for a container image, use cosign verify-attestation with the command in Listing 9.7. This verifies the attestation signature and displays the CycloneDX SBOM in JSON format.
$ cosign verify-attestation \
--key nubus-cosign.pub \
--type https://cyclonedx.org/bom/v1.6 \
"$IMAGE_NAME" | jq -r '.payload' | base64 -d | jq .
To save the SBOM to a file, use the command in Listing 9.8.
$ cosign verify-attestation \
--key nubus-cosign.pub \
--type https://cyclonedx.org/bom/v1.6 \
"$IMAGE_NAME" | jq -r '.payload' | base64 -d | jq . > sbom.json
9.3.4. View VEX information#
The VEX document contains identified vulnerabilities with CVE identifiers, vulnerability severity ratings, exploitability status and analysis, justifications for vulnerability status, and remediation guidance where applicable.
To view and verify the VEX attestation for a container image, use cosign verify-attestation with the VEX predicate type as shown in Listing 9.9. This verifies the attestation signature and displays the VEX document containing vulnerability information.
$ cosign verify-attestation \
--key nubus-cosign.pub \
--type https://cyclonedx.org/vex/v1.6 \
"$IMAGE_NAME" | jq -r '.payload' | base64 -d | jq .
To save the VEX document to a file, use the command in Listing 9.10.
$ cosign verify-attestation \
--key nubus-cosign.pub \
--type https://cyclonedx.org/vex/v1.6 \
"$IMAGE_NAME" | jq -r '.payload' | base64 -d | jq . > vex.json
Tip
You can use jq for filtering and analysis of the VEX document. For example, to list vulnerabilities that Univention has triaged with analysis, use the command in Listing 9.11.
$ jq '.predicate.vulnerabilities[] | select(has("analysis")) | {id, state: .analysis.state, detail: .analysis.detail}' vex.json
To list all high and critical severity vulnerabilities with their CVSS scores present in the image, use the command in Listing 9.12.
$ jq '.predicate.vulnerabilities[] | select(.ratings[0].severity == "critical" or .ratings[0].severity == "high") | {id, severity: .ratings[0].severity, score: .ratings[0].score}' vex.json
9.3.5. Integrate with vulnerability management tools#
You can import the SBOM and VEX information into vulnerability scanning and management tools. Many popular security tools support the CycloneDX format. Tools such as Grype can import SBOMs for vulnerability scanning, and Trivy can use SBOMs for faster scans.
To import an SBOM or VEX document into your vulnerability management tool, first prepare the environment as described in Prepare the environment, then save the SBOM or VEX document to a file as shown in View SBOM information and View VEX information. Follow your tools’ documentation for importing CycloneDX documents. Regularly update your vulnerability management tools with the latest SBOM and VEX information from each Nubus release to maintain an accurate vulnerability inventory.
9.4. SBOM and VEX information#
This section provides an overview of the supply chain security information that Univention provides for Nubus for Kubernetes.
- Software Bill of Materials (SBOM)
A Software Bill of Materials (SBOM) is a comprehensive inventory of all components, libraries, and dependencies included in a software artifact. SBOMs are essential for supply chain security because they enable you to identify all components and their versions, track known vulnerabilities in dependencies, meet compliance requirements, and respond quickly to security advisories.
Univention provides SBOMs in the CycloneDX BOM v1.6 format as cryptographic attestations for all Nubus for Kubernetes container images.
- Vulnerability Exploitability eXchange (VEX)
Vulnerability Exploitability eXchange (VEX) is a standard format for communicating information about the exploitability status of vulnerabilities in software components. VEX documents help you understand which vulnerabilities affect your deployment and which ones don’t.
Univention provides VEX documents in the CycloneDX VEX v1.6 format as separate cryptographic attestations for all Nubus for Kubernetes container images. The VEX documents include the results of Univention’s vulnerability triage process for high and critical severity vulnerabilities.
9.5. Attestation storage and format#
Univention uses the tag-based pattern in Listing 9.13 to associate attestations with container images.
{registry}/{image}:sha256-{HASH}.att
{registry}/{image}:sha256-{HASH}.sig
{registry}:Container registry hostname.
{image}:Image name and path.
{HASH}:SHA256 digest of the image without the
sha256:prefix..att:The suffix indicates an attestation tag.
.sig:The suffix indicates a signature tag.
Note
This tag pattern is the classic OCI Image Manifest Specification v1.0 pattern, and not the more recent OCI Reference Types specification using the referrers API.
For each container image,
Univention provides multiple attestations under a single .att tag.
It cryptographically signs all attestations.
You can verify them using cosign,
see Verify container images.
These attestations include the following:
- SBOM attestation
Contains the software bill of materials in CycloneDX format
- Predicate type:
https://cyclonedx.org/bom/v1.6
- VEX attestation
Contains vulnerability exploitability information in CycloneDX format
- Predicate type:
https://cyclonedx.org/vex/v1.6
- Provenance attestation
Contains build and release information
- Predicate type:
https://in-toto.io/attestation/release/v0.1