Skip to content

Commit

Permalink
build: add image signing for all release images
Browse files Browse the repository at this point in the history 
Signed-off-by: akashsinghal <[email protected]>
  • Loading branch information
@akashsinghal
akashsinghal committed Dec 3, 2024
1 parent ca88b62 commit 1e623e9
Show file tree
Hide file tree
Showing 3 changed files with 130 additions and 0 deletions.
42 changes: 42 additions & 0 deletions .github/workflows/publish-dev-assets.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ jobs:
az version
# Key Vault:
az account get-access-token --scope https://vault.azure.net/.default --output none
- name: Prepare notation certificate
run: |
mkdir -p truststore/x509/ca/ratify-verify
cp ./.well-known/pki-validation/ratify-verification.crt truststore/x509/ca/ratify-verify
- name: prepare
id: prepare
run: |
Expand Down Expand Up @@ -138,6 +142,44 @@ jobs:
cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
- name: Verify with Notation
uses: notaryproject/notation-action/verify@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
with:
target_artifact_reference: |-
${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
trust_policy: ./.well-known/pki-validation/trustpolicy.json
trust_store: truststore
- name: Verify with Cosign
run: |
cosign verify \
--certificate-identity-regexp "https://github.com/akashsinghal/ratify/.github/workflows/publish-dev-assets.yml@*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository akashsinghal/ratify \
${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
cosign verify \
--certificate-identity-regexp "https://github.com/akashsinghal/ratify/.github/workflows/publish-dev-assets.yml@*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository akashsinghal/ratify \
${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
cosign verify \
--certificate-identity-regexp "https://github.com/akashsinghal/ratify/.github/workflows/publish-dev-assets.yml@*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository akashsinghal/ratify \
${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
cosign verify \
--certificate-identity-regexp "https://github.com/akashsinghal/ratify/.github/workflows/publish-dev-assets.yml@*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository akashsinghal/ratify \
${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
cosign verify \
--certificate-identity-regexp "https://github.com/akashsinghal/ratify/.github/workflows/publish-dev-assets.yml@*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository akashsinghal/ratify \
${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
- name: clear
if: always()
run: |
Expand Down
64 changes: 64 additions & 0 deletions .github/workflows/publish-package.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,34 @@ jobs:
permissions:
packages: write
contents: read
id-token: write
environment: azure-publish
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install Notation
uses: notaryproject/notation-action/setup@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Az CLI login
uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Cache AAD tokens
run: |
az version
# Key Vault:
az account get-access-token --scope https://vault.azure.net/.default --output none
- name: Prepare notation certificate
run: |
mkdir -p truststore/x509/ca/ratify-verify
cp ./.well-known/pki-validation/ratify-verification.crt truststore/x509/ca/ratify-verify
- name: prepare
id: prepare
run: |
Expand Down Expand Up @@ -83,6 +104,49 @@ jobs:
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.ref }} \
--push .
- name: Sign with Notation
uses: notaryproject/notation-action/sign@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
with:
plugin_name: azure-kv
plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }}
plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }}
key_id: ${{ secrets.AZURE_KV_KEY_ID }}
target_artifact_reference: |-
${{ steps.prepare.outputs.crdref }}
${{ steps.prepare.outputs.baseref }}
${{ steps.prepare.outputs.ref }}
signature_format: cose
- name: Sign with Cosign
run: |
cosign sign --yes ${{ steps.prepare.outputs.crdref }}
cosign sign --yes ${{ steps.prepare.outputs.baseref }}
cosign sign --yes ${{ steps.prepare.outputs.ref }}
- name: Verify with Notation
uses: notaryproject/notation-action/verify@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
with:
target_artifact_reference: |-
${{ steps.prepare.outputs.crdref }}
${{ steps.prepare.outputs.baseref }}
${{ steps.prepare.outputs.ref }}
trust_policy: ./.well-known/pki-validation/trustpolicy.json
trust_store: truststore
- name: Verify with Cosign
run: |
cosign verify \
--certificate-identity-regexp "https://github.com/akashsinghal/ratify/.github/workflows/publish-package.yml@*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository akashsinghal/ratify \
${{ steps.prepare.outputs.crdref }}
cosign verify \
--certificate-identity-regexp "https://github.com/akashsinghal/ratify/.github/workflows/publish-package.yml@*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository akashsinghal/ratify \
${{ steps.prepare.outputs.baseref }}
cosign verify \
--certificate-identity-regexp "https://github.com/akashsinghal/ratify/.github/workflows/publish-package.yml@*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository akashsinghal/ratify \
${{ steps.prepare.outputs.ref }}
- name: clear
if: always()
run: |
Expand Down
24 changes: 24 additions & 0 deletions .well-known/pki-validation/trustpolicy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"version": "1.0",
"trustPolicies": [
{
"name": "ratify-images",
"registryScopes": [
"ghcr.io/akashsinghal/ratify",
"ghcr.io/akashsinghal/ratify-base",
"ghcr.io/akashsinghal/ratify-crds",
"ghcr.io/akashsinghal/ratify-dev",
"ghcr.io/akashsinghal/ratify-base-dev",
"ghcr.io/akashsinghal/ratify-crds-dev",
"ghcr.io/akashsinghal/ratify-chart-dev/ratify"
],
"signatureVerification": {
"level" : "strict"
},
"trustStores": [ "ca:ratify-verify" ],
"trustedIdentities": [
"x509.subject: CN=ratify.dev,O=ratify-project,L=Seattle,ST=WA,C=US"
]
}
]
}

0 comments on commit 1e623e9

Please sign in to comment.