Sign sbom (#701)

* Sign SBOM after attaching it Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Fix Signed-off-by: Natalie Arellano <[email protected]> * Use sbom sha when signing Signed-off-by: Natalie Arellano <[email protected]> * Update script to test on forks Signed-off-by: Natalie Arellano <[email protected]> * Sha is for layer, not manifest Signed-off-by: Natalie Arellano <[email protected]>
buildpacks · Sep 7, 2021 · 9895acb · 9895acb
1 parent af5a4ea
commit 9895acb
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 15 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -121,7 +121,7 @@ jobs:
           path: version.txt
       - name: Set tag
         run: |
-          echo "LIFECYCLE_IMAGE_TAG=$(git describe --always)" >> tag.txt
+          echo "LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)" >> tag.txt
       - uses: actions/upload-artifact@v2
         with:
           name: tag
@@ -166,6 +166,13 @@ jobs:
         with:
           name: lifecycle-bom-cdx
           path: lifecycle-v*-bom.cdx.json
+      - name: Calculate SBOM sha
+        run: |
+          shasum -a 256 lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json > lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json.sha256
+      - uses: actions/upload-artifact@v2
+        with:
+          name: lifecycle-bom-cdx-sha256
+          path: lifecycle-v*-bom.cdx.json.sha256
       - uses: azure/docker-login@v1
         if: github.event_name == 'push'
         with:
@@ -184,11 +191,18 @@ jobs:
         with:
           name: lifecycle-cosign-public-key
           path: lifecycle-v${{ env.LIFECYCLE_VERSION }}-cosign.pub
+      - name: Calculate cosign sha
+        run: |
+          shasum -a 256 lifecycle-v${{ env.LIFECYCLE_VERSION }}-cosign.pub > lifecycle-v${{ env.LIFECYCLE_VERSION }}-cosign.pub.sha256
+      - uses: actions/upload-artifact@v2
+        with:
+          name: lifecycle-cosign-public-key-sha256
+          path: lifecycle-v${{ env.LIFECYCLE_VERSION }}-cosign.pub.sha256
       - name: Publish images
         if: github.event_name == 'push'
         run: |
           DOCKER_CLI_EXPERIMENTAL=enabled
-          LIFECYCLE_IMAGE_TAG=$(git describe --always)
+          LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)
 
           LINUX_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.x86-64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64 | awk '{print $NF}')
           echo "LINUX_AMD64_SHA: $LINUX_AMD64_SHA"

diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
@@ -79,8 +79,8 @@ jobs:
                 if (urlList.length === 0) {
                   throw "no artifacts found"
                 }
-                if (urlList.length != 8) {
-                  throw "there should be exactly eight artifacts"
+                if (urlList.length != 10) {
+                  throw "there should be exactly ten artifacts"
                 }
                 return urlList.join(",")
               })
@@ -98,6 +98,11 @@ jobs:
             unzip -d artifacts tmp-artifact.zip
             rm tmp-artifact.zip
           done
+      - name: Combine checksums
+        run: |
+          cd ${{ env.ARTIFACTS_PATH }}
+          cat *.sha256 | sort > lifecycle-v${{ env.LIFECYCLE_VERSION }}-checksums.txt
+          rm *.sha256
       - name: Set pre-release kind
         if: contains(env.LIFECYCLE_VERSION, 'rc') # e.g., 0.99.0-rc.1
         run: |
@@ -128,10 +133,11 @@ jobs:
       - name: Create Pre Release
         if: contains(env.LIFECYCLE_VERSION, 'rc') # e.g., 0.99.0-rc.1
         run: |
+          cd ${{ env.ARTIFACTS_PATH }}
           gh release create v${{ env.LIFECYCLE_VERSION }} \
-            $(ls ${{ env.ARTIFACTS_PATH }}/*) \
+            $(ls | sort | paste -sd " " -) \
             --draft \
-            --notes-file body.txt \
+            --notes-file ../body.txt \
             --prerelease \
             --target $GITHUB_REF \
             --title "lifecycle v${{ env.LIFECYCLE_VERSION }}"
@@ -140,10 +146,11 @@ jobs:
       - name: Create Release
         if: "!contains(env.LIFECYCLE_VERSION, 'rc')"
         run: |
+          cd ${{ env.ARTIFACTS_PATH }}
           gh release create v${{ env.LIFECYCLE_VERSION }} \
-            $(ls ${{ env.ARTIFACTS_PATH }}/*) \
+            $(ls | sort | paste -sd " " -) \
             --draft \
-            --notes-file body.txt \
+            --notes-file ../body.txt \
             --target $GITHUB_REF \
             --title "lifecycle v${{ env.LIFECYCLE_VERSION }}"
         env:

diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Install crane
         run: |
           go install github.com/google/go-containerregistry/cmd/crane@latest
-      - name: Install Cosign
+      - name: Install cosign
         uses: sigstore/[email protected]
         with:
           cosign-release: 'v1.0.0'
@@ -28,7 +28,7 @@ jobs:
       - name: Set env
         run: |
           echo "LIFECYCLE_VERSION=$(echo ${{ github.event.release.tag_name }} | cut -d "v" -f2)" >> $GITHUB_ENV
-          echo "LIFECYCLE_IMAGE_TAG=$(git describe --always)" >> $GITHUB_ENV
+          echo "LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)" >> $GITHUB_ENV
       - name: Verify lifecycle images
         run: |
           LINUX_AMD64_SHA=$(cosign verify -key cosign.pub buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-x86-64 | jq -r .critical.image.\"docker-manifest-digest\")
@@ -73,7 +73,14 @@ jobs:
             -a tag=${{ env.LIFECYCLE_VERSION }} \
             buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}@${MANIFEST_SHA}
           cosign verify -key cosign.pub -a tag=${{ env.LIFECYCLE_VERSION }} buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}
+
           cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}
+          MANIFEST_SHA=${MANIFEST_SHA#"sha256:"}
+          COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} cosign sign -r \
+            -key <(echo -n "${{ secrets.COSIGN_PRIVATE_KEY }}" | base64 --decode) \
+            -a tag=${{ env.LIFECYCLE_VERSION }} \
+            buildpacksio/lifecycle:sha256-${MANIFEST_SHA}.sbom
+          cosign verify -key cosign.pub -a tag=${{ env.LIFECYCLE_VERSION }} buildpacksio/lifecycle:sha256-${MANIFEST_SHA}.sbom
       - name: Retag lifecycle images & create manifest list - latest
         if: "!contains(env.LIFECYCLE_VERSION, 'rc')"
         run: |
@@ -101,4 +108,11 @@ jobs:
             -a tag=latest \
             buildpacksio/lifecycle:latest@${MANIFEST_SHA}
           cosign verify -key cosign.pub -a tag=latest buildpacksio/lifecycle:latest
+
           cosign attach sbom -sbom ./*-bom.cdx.json -type cyclonedx buildpacksio/lifecycle:latest
+          MANIFEST_SHA=${MANIFEST_SHA#"sha256:"}
+          COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} cosign sign -r \
+            -key <(echo -n "${{ secrets.COSIGN_PRIVATE_KEY }}" | base64 --decode) \
+            -a tag=${{ env.LIFECYCLE_VERSION }} \
+            buildpacksio/lifecycle:sha256-${MANIFEST_SHA}.sbom
+          cosign verify -key cosign.pub -a tag=${{ env.LIFECYCLE_VERSION }} buildpacksio/lifecycle:sha256-${MANIFEST_SHA}.sbom
diff --git a/tools/packager/main.go b/tools/packager/main.go
@@ -138,7 +138,7 @@ func doPackage() error {
 	defer hashFile.Close()
 
 	sha := hex.EncodeToString(hasher.Sum(nil))
-	_, err = hashFile.Write([]byte(sha + "\n"))
+	_, err = hashFile.Write([]byte(archivePath + "  " + sha + "\n"))
 	if err != nil {
 		return errors.Wrap(err, fmt.Sprintf("Failed to write sha256:%s to %s", sha, hashFileName))
 	}

diff --git a/tools/test-fork.sh b/tools/test-fork.sh
@@ -2,6 +2,7 @@
 
 # $1 - registry repo name
 # $2 - path to cosign public key
+# $3 - enable tests
 
 echo "Parse registry: $1"
 firstPart=$(echo $1 | cut -d/ -f1)
@@ -44,7 +45,16 @@ fi
 echo "Use public key from fork (assumes private key and passphrase have been added to GitHub secrets)"
 cp $2 cosign.pub
 
-echo "Skip tests to make things faster"
-sed -i '' "s/make test/echo test/g" .github/workflows/*.yml
-sed -i '' "s/make acceptance/echo acceptance/g" .github/workflows/*.yml
-echo "$(sed '/pack-acceptance/,$d' .github/workflows/build.yml)" > .github/workflows/build.yml
+echo "Remove arm tests (these require a self-hosted runner)"
+sed -i '' "/test-linux-arm64:/,+11d" .github/workflows/build.yml
+sed -i '' "/test-linux-arm64/d" .github/workflows/build.yml
+
+if [[ -z $3 ]]; then
+  echo "Remove all tests to make things faster"
+  sed -i '' "s/make test/echo test/g" .github/workflows/*.yml
+  sed -i '' "s/make acceptance/echo acceptance/g" .github/workflows/*.yml
+  echo "$(sed '/pack-acceptance/,$d' .github/workflows/build.yml)" > .github/workflows/build.yml
+else
+  echo "Retain other tests"
+fi
+