From 718e9b5f39ca3c8f3c5ec58286408692e5b64165 Mon Sep 17 00:00:00 2001
From: Jacopo Andrea Giola <jacopo@giola.org>
Date: Tue, 1 Oct 2024 15:39:03 +0200
Subject: [PATCH 1/4] docs: add new page to infrastructure section

---
 docs/infrastructure/security/overview.md      | 62 +++++++++++++++++++
 sidebars.json                                 |  5 ++
 .../mia-platform-pubkey-2023-10-01.pem        |  4 ++
 3 files changed, 71 insertions(+)
 create mode 100644 docs/infrastructure/security/overview.md
 create mode 100644 static/public-keys/mia-platform-pubkey-2023-10-01.pem

diff --git a/docs/infrastructure/security/overview.md b/docs/infrastructure/security/overview.md
new file mode 100644
index 0000000000..a06f620600
--- /dev/null
+++ b/docs/infrastructure/security/overview.md
@@ -0,0 +1,62 @@
+---
+id: security-overview
+title: Mia-Platform Console Security
+sidebar_label: Security
+---
+
+To help prevent [supply-chain attacks], some Mia-Platform released artifacts are cryptographically signed so you can
+be sure to have downloaded are the ones built and distributed by Mia-Platform.
+
+You can verify the signing in every momento to be sure that there was no tampering of the released artifact that you
+are about to install.
+
+The public certificates that are required for the verification are available on this website and may depend on the
+artifact you need to verify. At this time of writing all the artifacts are signed using the same underling key.
+
+## Container Images
+
+Here you can find all the artifacts and the starting version when they are being signed and verifiable with `cosign`:
+
+| Container Image | Starting Tag |
+| --- | --- |
+| nexus.mia-platform.eu/console/backend | v10.0.0 |
+
+Our PEM-encoded public key can be downloaded [here] and you can see and example of verification of the signature
+using cosing:
+
+```shell
+KEY=https://docs.mia-platform.eu/public-keys/mia-platform-pubkey-2023-10-01.pem
+cosign verify --key "${KEY}" nexus.mia-platform.eu/console/backend:v10.0.0
+```
+
+## Software Bill of Materials
+
+Another affordance we provide for improving the transparency of our artifacts is providing a Software Bill of
+Materials (SBOM) for every artifact that are cryptographically signed using the in-toto attestation method.
+
+Every signed artifacts has its attestation containing a SPDX SBOM in json format that you can verify and download
+using cosign:
+
+```shell
+KEY=https://docs.mia-platform.eu/public-keys/mia-platform-pubkey-2023-10-01.pem
+cosign verify-attestation --type spdxjson --key "${KEY}" nexus.mia-platform.eu/console/backend:v10.0.0
+```
+
+This command will download the raw attestation verifying that nothing has been tampered, to see the actual payload
+you can pass the result to `jq` to extract the in-toto attestation containing the SPDX document:
+
+```shell
+KEY=https://docs.mia-platform.eu/public-keys/mia-platform-pubkey-2023-10-01.pem
+cosign verify-attestation --type spdxjson --key "${KEY}" nexus.mia-platform.eu/console/backend:v10.0.0 | jq '.payload | @base64d | fromjson'
+```
+
+Additionally with a tool like `grype` that can check a SBOM against a vulnerability database you can always check if
+a vulnerability has been found after the artifact build:
+
+```shell
+KEY=https://docs.mia-platform.eu/public-keys/mia-platform-pubkey-2023-10-01.pem
+cosign verify-attestation --type spdxjson --key "${KEY}" nexus.mia-platform.eu/console/backend:v10.0.0 | jq '.payload | @base64d | fromjson | .predicate' | grype
+```
+
+[supply-chain attacks]: https://en.wikipedia.org/wiki/Supply_chain_attack
+[here]: /public-keys/static/public-keys/mia-platform-pubkey-2023-10-01.pem "Mia-Platform PEM-encoded public key"
diff --git a/sidebars.json b/sidebars.json
index d9ed2514d8..f2983e6e04 100644
--- a/sidebars.json
+++ b/sidebars.json
@@ -1639,6 +1639,11 @@
         }
       ]
     },
+    {
+      "label": "Security",
+      "id": "infrastructure/security/security-overview",
+      "type": "doc"
+    },
     {
       "label": "Bring Your Own Infrastructure",
       "id": "infrastructure/byoi/byoi-overview",
diff --git a/static/public-keys/mia-platform-pubkey-2023-10-01.pem b/static/public-keys/mia-platform-pubkey-2023-10-01.pem
new file mode 100644
index 0000000000..30b043e448
--- /dev/null
+++ b/static/public-keys/mia-platform-pubkey-2023-10-01.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECOhJUYMa2CcL2LfIl22udT9Rt/pz
++YGGNSUlBP1V6EqUlv/iZg3lFhN1h4WxlvjsfN9U/GBxV9lwtdJpqaI8Hw==
+-----END PUBLIC KEY-----

From ece4b34fb34cb28955ce63a25f768b8ea1e7215b Mon Sep 17 00:00:00 2001
From: Jacopo Andrea Giola <jacopo@giola.org>
Date: Wed, 2 Oct 2024 09:37:09 +0200
Subject: [PATCH 2/4] fix: broken link for public certificate

---
 docs/infrastructure/security/overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/infrastructure/security/overview.md b/docs/infrastructure/security/overview.md
index a06f620600..cd2dbb9378 100644
--- a/docs/infrastructure/security/overview.md
+++ b/docs/infrastructure/security/overview.md
@@ -59,4 +59,4 @@ cosign verify-attestation --type spdxjson --key "${KEY}" nexus.mia-platform.eu/c
 ```
 
 [supply-chain attacks]: https://en.wikipedia.org/wiki/Supply_chain_attack
-[here]: /public-keys/static/public-keys/mia-platform-pubkey-2023-10-01.pem "Mia-Platform PEM-encoded public key"
+[here]: /public-keys/mia-platform-pubkey-2023-10-01.pem "Mia-Platform PEM-encoded public key"

From cd1c8d861333033e957f180d4aef020c9d09b9a7 Mon Sep 17 00:00:00 2001
From: Jacopo Andrea Giola <jacopo@giola.org>
Date: Wed, 30 Oct 2024 09:20:40 +0100
Subject: [PATCH 3/4] feat: update image list

---
 docs/infrastructure/security/overview.md | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/docs/infrastructure/security/overview.md b/docs/infrastructure/security/overview.md
index cd2dbb9378..e2a3bbccda 100644
--- a/docs/infrastructure/security/overview.md
+++ b/docs/infrastructure/security/overview.md
@@ -19,14 +19,18 @@ Here you can find all the artifacts and the starting version when they are being
 
 | Container Image | Starting Tag |
 | --- | --- |
-| nexus.mia-platform.eu/console/backend | v10.0.0 |
+| nexus.mia-platform.eu/rond-authz/rond | v1.12.9 |
+| nexus.mia-platform.eu/rond-authz/rond | v1.12.9 |
+| nexus.mia-platform.eu/microlc/micro-lc | 2.4.3 |
+| nexus.mia-platform.eu/microlc/middleware | 3.3.3|
 
 Our PEM-encoded public key can be downloaded [here] and you can see and example of verification of the signature
 using cosing:
 
 ```shell
 KEY=https://docs.mia-platform.eu/public-keys/mia-platform-pubkey-2023-10-01.pem
-cosign verify --key "${KEY}" nexus.mia-platform.eu/console/backend:v10.0.0
+IMAGE=<image tag>
+cosign verify --key "${KEY}" "${IMAGE}"
 ```
 
 ## Software Bill of Materials
@@ -39,7 +43,8 @@ using cosign:
 
 ```shell
 KEY=https://docs.mia-platform.eu/public-keys/mia-platform-pubkey-2023-10-01.pem
-cosign verify-attestation --type spdxjson --key "${KEY}" nexus.mia-platform.eu/console/backend:v10.0.0
+IMAGE=<image tag>
+cosign verify-attestation --type spdxjson --key "${KEY}" "${IMAGE}"
 ```
 
 This command will download the raw attestation verifying that nothing has been tampered, to see the actual payload
@@ -47,7 +52,8 @@ you can pass the result to `jq` to extract the in-toto attestation containing th
 
 ```shell
 KEY=https://docs.mia-platform.eu/public-keys/mia-platform-pubkey-2023-10-01.pem
-cosign verify-attestation --type spdxjson --key "${KEY}" nexus.mia-platform.eu/console/backend:v10.0.0 | jq '.payload | @base64d | fromjson'
+IMAGE=<image tag>
+cosign verify-attestation --type spdxjson --key "${KEY}" "${IMAGE}" | jq '.payload | @base64d | fromjson'
 ```
 
 Additionally with a tool like `grype` that can check a SBOM against a vulnerability database you can always check if
@@ -55,7 +61,8 @@ a vulnerability has been found after the artifact build:
 
 ```shell
 KEY=https://docs.mia-platform.eu/public-keys/mia-platform-pubkey-2023-10-01.pem
-cosign verify-attestation --type spdxjson --key "${KEY}" nexus.mia-platform.eu/console/backend:v10.0.0 | jq '.payload | @base64d | fromjson | .predicate' | grype
+IMAGE=<image tag>
+cosign verify-attestation --type spdxjson --key "${KEY}" "${IMAGE}" | jq '.payload | @base64d | fromjson | .predicate' | grype
 ```
 
 [supply-chain attacks]: https://en.wikipedia.org/wiki/Supply_chain_attack

From 6e18baa627da876c1836386a6167fdd45b88c469 Mon Sep 17 00:00:00 2001
From: Edoardo Pessina <edoardopessina.priv@gmail.com>
Date: Fri, 14 Mar 2025 15:29:43 +0100
Subject: [PATCH 4/4] Add software-catalog-sync and catalog-service to signed
 images list

---
 docs/infrastructure/security/overview.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/infrastructure/security/overview.md b/docs/infrastructure/security/overview.md
index e2a3bbccda..48b4f95658 100644
--- a/docs/infrastructure/security/overview.md
+++ b/docs/infrastructure/security/overview.md
@@ -22,7 +22,9 @@ Here you can find all the artifacts and the starting version when they are being
 | nexus.mia-platform.eu/rond-authz/rond | v1.12.9 |
 | nexus.mia-platform.eu/rond-authz/rond | v1.12.9 |
 | nexus.mia-platform.eu/microlc/micro-lc | 2.4.3 |
-| nexus.mia-platform.eu/microlc/middleware | 3.3.3|
+| nexus.mia-platform.eu/microlc/middleware | 3.3.3 |
+| nexus.mia-platform.eu/console/scripts/software-catalog-sync | 0.2.0 |
+| nexus.mia-platform.eu/console/catalog-service | 1.0.0 |
 
 Our PEM-encoded public key can be downloaded [here] and you can see and example of verification of the signature
 using cosing: