Merge pull request #109 from philips-labs/release-signing

Signing of artifacts
philips-labs · Jan 14, 2022 · 58d245d · 58d245d
2 parents 3511795 + abc16c4
commit 58d245d
Show file tree

Hide file tree

Showing 8 changed files with 135 additions and 15 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -76,6 +76,11 @@ jobs:
         with:
           go-version: 1.17
 
+      - name: Install cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v1.4.1'
+
       - name: Checkout
         uses: actions/[email protected]
         with:
@@ -100,6 +105,10 @@ jobs:
           fi
           rm -f /tmp/spiffe-vault-release-vars.env
 
+      - name: Install signing key
+        run: |
+          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
+
       - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
         uses: goreleaser/goreleaser-action@v2
         with:
@@ -109,6 +118,7 @@ jobs:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
           GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Get container info
         id: container_info
@@ -125,6 +135,10 @@ jobs:
           docker logout
           docker logout ghcr.io
 
+      - name: Cleanup signing keys
+        if: ${{ always() }}
+        run: rm -f cosign.key
+
   container-provenance:
     name: container-provenance
     needs: [release]
@@ -142,7 +156,7 @@ jobs:
           cosign-release: 'v1.4.1'
 
       - name: Generate provenance for ${{ matrix.repo }}
-        uses: philips-labs/[email protected].0
+        uses: philips-labs/[email protected].1-draft
         with:
           command: generate
           subcommand: container
@@ -169,14 +183,14 @@ jobs:
 
       - name: Verify attestation
         run: |
-          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
           cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
 
       - name: Logout from Container registries
         if: ${{ always() }}
         run: |
           docker logout
           docker logout ghcr.io
+          rm -f cosign.key
 
   provenance:
     name: provenance
@@ -186,7 +200,7 @@ jobs:
 
     steps:
       - name: Generate provenance for Release
-        uses: philips-labs/[email protected].0
+        uses: philips-labs/[email protected].1-draft
         with:
           command: generate
           subcommand: github-release

diff --git a/.github/workflows/example-publish.yaml b/.github/workflows/example-publish.yaml
@@ -26,7 +26,7 @@ jobs:
         uses: actions/download-artifact@v2
 
       - name: Generate provenance
-        uses: philips-labs/[email protected].0
+        uses: philips-labs/[email protected].1-draft
         with:
           command: generate
           subcommand: files

diff --git a/.goreleaser.draft.yml b/.goreleaser.draft.yml
@@ -30,10 +30,15 @@ archives:
     files:
       - LICENSE*
       - README*
+      - cosign.pub
+      - dist/*.sig
     format_overrides:
       - goos: windows
         format: zip
 
+checksum:
+  name_template: 'checksums.txt'
+
 dockers:
   - goos: linux
     goarch: amd64
@@ -57,8 +62,54 @@ dockers:
       - "go.sum"
       - "cmd"
       - "lib"
-checksum:
-  name_template: 'checksums.txt'
+
+signs:
+  - id: checksums
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+  - id: binaries
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    output: true
+    artifacts: binary
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+  - id: archives
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    output: true
+    artifacts: archive
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+
+docker_signs:
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - 'sign'
+      - --key
+      - cosign.key
+      - '${artifact}'
 
 snapshot:
   name_template: "{{ .Version }}-next"
@@ -75,3 +126,5 @@ changelog:
 release:
   draft: true
   prerelease: auto
+  extra_files:
+    - glob: "./cosign.pub"
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -30,10 +30,15 @@ archives:
     files:
       - LICENSE*
       - README*
+      - cosign.pub
+      - dist/*.sig
     format_overrides:
       - goos: windows
         format: zip
 
+checksum:
+  name_template: 'checksums.txt'
+
 dockers:
   - goos: linux
     goarch: amd64
@@ -57,8 +62,54 @@ dockers:
       - "go.sum"
       - "cmd"
       - "lib"
-checksum:
-  name_template: 'checksums.txt'
+
+signs:
+  - id: checksums
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+  - id: binaries
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    output: true
+    artifacts: binary
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+  - id: archives
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    output: true
+    artifacts: archive
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+
+docker_signs:
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - 'sign'
+      - --key
+      - cosign.key
+      - '${artifact}'
 
 snapshot:
   name_template: "{{ .Version }}-next"
@@ -75,3 +126,5 @@ changelog:
 release:
   draft: false
   prerelease: auto
+  extra_files:
+    - glob: "./cosign.pub"
diff --git a/Makefile b/Makefile
@@ -88,7 +88,7 @@ image: ## build the binary in a docker image
 		.
 
 $(GO_PATH)/bin/goreleaser:
-	go install github.com/goreleaser/goreleaser@v0.182.1
+	go install github.com/goreleaser/goreleaser@v1.2.5
 
 .PHONY: snapshot-release
 snapshot-release: $(GO_PATH)/bin/goreleaser ## creates a snapshot release using goreleaser

diff --git a/README.md b/README.md
@@ -109,15 +109,15 @@ See all available images [here.](https://hub.docker.com/r/philipssoftware/slsa-p
 Run the Docker image by doing:
 
 ```sh
-docker run philipssoftware/slsa-provenance:v0.5.0
+docker run philipssoftware/slsa-provenance:v0.5.1-draft
 ```
 
 **GitHub Container Registry**
 See all available images [here.](https://github.com/philips-labs/slsa-provenance-action/pkgs/container/slsa-provenance)
 Run the Docker image by doing:
 
 ```sh
-docker run ghcr.io/philips-labs/slsa-provenance:v0.5.0
+docker run ghcr.io/philips-labs/slsa-provenance:v0.5.1-draft
 ```
 
 The Docker image includes the working binary that can be executed by using the ``slsa-provenance`` command.
@@ -145,7 +145,7 @@ The easiest way to use this action is to add the following into your workflow fi
 
     steps:
       - name: Generate provenance for Release
-        uses: philips-labs/[email protected].0
+        uses: philips-labs/[email protected].1-draft
         with:
           command: generate
           subcommand: files
@@ -180,7 +180,7 @@ The easiest way to use this action is to add the following into your workflow fi
           path: extra-materials/
 
       - name: Generate provenance
-        uses: philips-labs/[email protected].0
+        uses: philips-labs/[email protected].1-draft
         with:
           command: generate
           subcommand: files

diff --git a/action.yaml b/action.yaml
@@ -47,6 +47,6 @@ runs:
       run: |
         echo Running slsa-provenance with following arguments
         echo ${{ steps.compose-args.outputs.provenance_args }}
-    - uses: 'docker://ghcr.io/philips-labs/slsa-provenance:v0.5.0'
+    - uses: 'docker://ghcr.io/philips-labs/slsa-provenance:v0.5.1-draft'
       with:
         args: ${{ steps.compose-args.outputs.provenance_args }}
diff --git a/release.md b/release.md
@@ -5,7 +5,7 @@
 To make a new release you can make use of the following `make` task.
 
 ```bash
-make gh-release NEW_VERSION=v0.6.0 OLD_VERSION=v0.5.0 DESCRIPTION="A test release to see how it works"
+make gh-release NEW_VERSION=v0.6.0 OLD_VERSION=v0.5.1-draft DESCRIPTION="A test release to see how it works"
 ```
 
 `NEW_VERSION` the version that you want to release.