✨ Support sign image (#217)

go-sigma · Oct 19, 2023 · c234432 · c234432
1 parent 29ef03e
commit c234432
Show file tree

Hide file tree

Showing 30 changed files with 625 additions and 170 deletions.
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -26,7 +26,7 @@ RUN set -eux && \
 
 FROM alpine:${ALPINE_VERSION} as trivy
 
-ARG TRIVY_VERSION=0.45.1
+ARG TRIVY_VERSION=0.46.0
 ARG ORAS_VERSION=1.0.0
 ARG TARGETARCH
 

diff --git a/build/Dockerfile.builder b/build/Dockerfile.builder
@@ -1,4 +1,15 @@
 ARG GOLANG_VERSION=1.21.3-alpine3.18
+ARG BUILDKIT_VERSION=v0.12.2-rootless
+
+FROM golang:${GOLANG_VERSION} as cosign
+
+WORKDIR /go/src/github.com/sigstore
+
+RUN set -eux && \
+  apk add --no-cache make bash ncurses build-base git git-lfs && \
+  git clone https://github.com/go-sigma/cosign.git && \
+  cd cosign && \
+  make
 
 FROM golang:${GOLANG_VERSION} as builder
 
@@ -7,11 +18,10 @@ COPY . /go/src/github.com/go-sigma/sigma
 WORKDIR /go/src/github.com/go-sigma/sigma
 
 RUN set -eux && \
-  apk add --no-cache make bash ncurses build-base git git-lfs
-
-RUN make build-builder
+  apk add --no-cache make bash ncurses build-base git git-lfs && \
+  make build-builder
 
-FROM moby/buildkit:v0.12.2-rootless
+FROM moby/buildkit:${BUILDKIT_VERSION}
 
 USER root
 RUN set -eux && \
@@ -20,6 +30,7 @@ RUN set -eux && \
   chown -R 1000:1000 /opt/ && \
   chown -R 1000:1000 /code/
 
+COPY --from=cosign /go/src/github.com/sigstore/cosign/cosign /usr/local/bin/cosign
 COPY --from=builder /go/src/github.com/go-sigma/sigma/bin/sigma-builder /usr/local/bin/sigma-builder
 
 WORKDIR /code

diff --git a/build/Dockerfile.builder.local b/build/Dockerfile.builder.local
@@ -1,4 +1,17 @@
-FROM moby/buildkit:v0.12.2-rootless
+ARG GOLANG_VERSION=1.21.3-alpine3.18
+ARG BUILDKIT_VERSION=v0.12.2-rootless
+
+FROM golang:${GOLANG_VERSION} as cosign
+
+WORKDIR /go/src/github.com/sigstore
+
+RUN set -eux && \
+  apk add --no-cache make bash ncurses build-base git git-lfs && \
+  git clone https://github.com/go-sigma/cosign.git && \
+  cd cosign && \
+  make
+
+FROM moby/buildkit:${BUILDKIT_VERSION}
 
 USER root
 RUN set -eux && \
@@ -7,6 +20,7 @@ RUN set -eux && \
   chown -R 1000:1000 /opt/ && \
   chown -R 1000:1000 /code/
 
+COPY --from=cosign /go/src/github.com/sigstore/cosign/cosign /usr/local/bin/cosign
 COPY ./bin/sigma-builder /usr/local/bin/sigma-builder
 
 WORKDIR /code

diff --git a/build/Dockerfile.debian b/build/Dockerfile.debian
@@ -27,7 +27,7 @@ RUN set -eux && \
 
 FROM alpine:${ALPINE_VERSION} as trivy
 
-ARG TRIVY_VERSION=0.45.1
+ARG TRIVY_VERSION=0.46.0
 ARG ORAS_VERSION=1.0.0
 ARG TARGETARCH
 

diff --git a/build/Dockerfile.local b/build/Dockerfile.local
@@ -14,7 +14,7 @@ RUN set -eux && \
 
 FROM alpine:${ALPINE_VERSION} as trivy
 
-ARG TRIVY_VERSION=0.45.1
+ARG TRIVY_VERSION=0.46.0
 ARG ORAS_VERSION=1.0.0
 ARG TARGETARCH
 

diff --git a/cmd/builder/builder.go b/cmd/builder/builder.go
@@ -15,6 +15,7 @@
 package main
 
 import (
+	"context"
 	"encoding/base64"
 	"flag"
 	"fmt"
@@ -33,6 +34,7 @@ import (
 	"github.com/rs/zerolog/log"
 
 	"github.com/go-sigma/sigma/pkg/logger"
+	"github.com/go-sigma/sigma/pkg/signing"
 	"github.com/go-sigma/sigma/pkg/types"
 	"github.com/go-sigma/sigma/pkg/types/enums"
 	"github.com/go-sigma/sigma/pkg/utils"
@@ -82,6 +84,7 @@ func main() {
 	imageName, err := builder.genTag()
 	checkErr(err)
 	checkErr(builder.build(imageName))
+	checkErr(builder.sign(imageName))
 	checkErr(builder.exportCache())
 }
 
@@ -292,6 +295,15 @@ func (b Builder) build(imageName string) error {
 	return nil
 }
 
+func (b Builder) sign(imageName string) error {
+	s := signing.NewSigning(signing.Options{
+		Type:      enums.SigningTypeCosign,
+		Http:      strings.HasPrefix(b.Endpoint, "http://"),
+		Multiarch: len(b.BuildkitPlatforms) > 1,
+	})
+	return s.Sign(context.Background(), b.Authorization, b.SigningPrivateKey, imageName)
+}
+
 // docker run -it --rm --security-opt apparmor=unconfined -e SCM_CREDENTIAL_TYPE=none -e SCM_PROVIDER=github -e OCI_REGISTRY_DOMAIN=docker.com -e SCM_REPOSITORY=https://github.com/tosone/sudoku.git -e SCM_BRANCH=dev -e OCI_NAME=test:dev -e BUILDKIT_INSECURE_REGISTRIES="10.1.0.1:3000@http,docker.io@http,test.com" --entrypoint '' docker.io/library/builder:dev sh
 // docker run -it --rm --security-opt apparmor=unconfined -e SCM_CREDENTIAL_TYPE=none -e SCM_PROVIDER=github -e OCI_REGISTRY_DOMAIN=docker.com -e SCM_REPOSITORY=https://github.com/tosone/sudoku.git -e SCM_BRANCH=master -e OCI_NAME=test:dev -e BUILDKIT_INSECURE_REGISTRIES="10.1.0.1:3000@http,docker.io@http,test.com" --entrypoint '' docker.io/library/builder:dev sh
 

diff --git a/cmd/builder/checker.go b/cmd/builder/checker.go
@@ -95,5 +95,11 @@ func (b *Builder) checker() error {
 		}
 	}
 
+	signingPrivateKey, err := crypt.Decrypt(fmt.Sprintf("%d-%d", b.BuilderID, b.RunnerID), b.SigningPrivateKey)
+	if err != nil {
+		return fmt.Errorf("Decrypt signing private key failed: %v", err)
+	}
+	b.SigningPrivateKey = signingPrivateKey
+
 	return nil
 }
diff --git a/pkg/builder/builder.go b/pkg/builder/builder.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/go-sigma/sigma/pkg/builder/logger"
 	"github.com/go-sigma/sigma/pkg/configs"
+	"github.com/go-sigma/sigma/pkg/consts"
 	"github.com/go-sigma/sigma/pkg/dal/dao"
 	"github.com/go-sigma/sigma/pkg/types"
 	"github.com/go-sigma/sigma/pkg/utils"
@@ -104,6 +105,12 @@ func BuildEnv(builderConfig BuilderConfig) ([]string, error) {
 		builderConfig.BuildkitInsecureRegistries = append(builderConfig.BuildkitInsecureRegistries, fmt.Sprintf("%s@http", strings.TrimPrefix(config.HTTP.InternalEndpoint, "http://")))
 	}
 
+	settingService := dao.NewSettingServiceFactory().New()
+	privateKey, err := settingService.Get(ctx, consts.SettingSignPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+
 	buildConfigEnvs := []string{
 		fmt.Sprintf("BUILDER_ID=%d", builderConfig.BuilderID),
 		fmt.Sprintf("RUNNER_ID=%d", builderConfig.RunnerID),
@@ -119,14 +126,15 @@ func BuildEnv(builderConfig BuilderConfig) ([]string, error) {
 
 		fmt.Sprintf("OCI_REGISTRY_DOMAIN=%s", strings.Join(builderConfig.OciRegistryDomain, ",")),
 		fmt.Sprintf("OCI_REGISTRY_USERNAME=%s", strings.Join(builderConfig.OciRegistryUsername, ",")),
-		// fmt.Sprintf("OCI_NAME=%s", builderConfig.OciName),
 
 		fmt.Sprintf("BUILDKIT_INSECURE_REGISTRIES=%s", strings.Join(builderConfig.BuildkitInsecureRegistries, ",")),
 		fmt.Sprintf("BUILDKIT_CACHE_DIR=%s", builderConfig.BuildkitCacheDir),
 		fmt.Sprintf("BUILDKIT_CONTEXT=%s", builderConfig.BuildkitContext),
 		fmt.Sprintf("BUILDKIT_DOCKERFILE=%s", builderConfig.BuildkitDockerfile),
 		fmt.Sprintf("BUILDKIT_PLATFORMS=%s", utils.StringsJoin(builderConfig.BuildkitPlatforms, ",")),
 		fmt.Sprintf("BUILDKIT_BUILD_ARGS=%s", strings.Join(builderConfig.BuildkitBuildArgs, ",")),
+
+		fmt.Sprintf("SIGNING_PRIVATE_KEY=%s", crypt.MustEncrypt(fmt.Sprintf("%d-%d", builderConfig.BuilderID, builderConfig.RunnerID), string(privateKey.Val))),
 	}
 	if builderConfig.Dockerfile != nil {
 		buildConfigEnvs = append(buildConfigEnvs, fmt.Sprintf("DOCKERFILE=%s", ptr.To(builderConfig.Dockerfile)))

diff --git a/pkg/configs/configuration.go b/pkg/configs/configuration.go
@@ -221,6 +221,7 @@ type ConfigurationProxy struct {
 	TlsVerify bool   `yaml:"tlsVerify"`
 	Username  string `yaml:"username"`
 	Password  string `yaml:"password"`
+	Token     string `yaml:"token"`
 }
 
 // ConfigurationDaemonGc ...

diff --git a/pkg/handlers/distribution/blob/blob_get.go b/pkg/handlers/distribution/blob/blob_get.go
@@ -31,6 +31,7 @@ import (
 	"github.com/spf13/viper"
 	"gorm.io/gorm"
 
+	"github.com/go-sigma/sigma/pkg/configs"
 	"github.com/go-sigma/sigma/pkg/consts"
 	"github.com/go-sigma/sigma/pkg/dal/models"
 	"github.com/go-sigma/sigma/pkg/handlers/distribution/clients"
@@ -59,7 +60,7 @@ func (h *handler) GetBlob(c echo.Context) error {
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) && viper.GetBool("proxy.enabled") {
 			f := clients.NewClientsFactory()
-			cli, err := f.New()
+			cli, err := f.New(*configs.GetConfiguration()) // TODO: config param
 			if err != nil {
 				if err != nil {
 					log.Error().Err(err).Str("digest", dgest.String()).Msg("New proxy server failed")

diff --git a/pkg/handlers/distribution/blob/blob_head.go b/pkg/handlers/distribution/blob/blob_head.go
@@ -27,6 +27,7 @@ import (
 	"github.com/spf13/viper"
 	"gorm.io/gorm"
 
+	"github.com/go-sigma/sigma/pkg/configs"
 	"github.com/go-sigma/sigma/pkg/consts"
 	"github.com/go-sigma/sigma/pkg/dal/models"
 	"github.com/go-sigma/sigma/pkg/handlers/distribution/clients"
@@ -65,7 +66,7 @@ func (h *handler) HeadBlob(c echo.Context) error {
 					return nil, xerrors.DSErrCodeBlobUnknown
 				}
 				f := clients.NewClientsFactory()
-				cli, err := f.New()
+				cli, err := f.New(*configs.GetConfiguration()) // TODO: config param
 				if err != nil {
 					log.Error().Err(err).Str("digest", dgest.String()).Msg("New proxy server failed")
 					return nil, xerrors.DSErrCodeUnknown