From fae521adc0328ce65a4e1d358e706007e8818ffa Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Thu, 13 Jan 2022 08:54:33 +0100 Subject: [PATCH 1/8] Add signing of release artifacts and containers Signed-off-by: Marco Franssen --- .github/workflows/ci.yaml | 15 ++++++++++ .goreleaser.draft.yml | 60 +++++++++++++++++++++++++++++++++++++-- .goreleaser.yml | 47 ++++++++++++++++++++++++++++-- 3 files changed, 118 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9c26d7d8..1dd909f0 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -76,6 +76,11 @@ jobs: with: go-version: 1.17 + - name: Install cosign + uses: sigstore/cosign-installer@v1.4.1 + with: + cosign-release: 'v1.4.1' + - name: Checkout uses: actions/checkout@v2.4.0 with: @@ -100,6 +105,10 @@ jobs: fi rm -f /tmp/spiffe-vault-release-vars.env + - name: Install signing key + run: | + echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key + - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }} uses: goreleaser/goreleaser-action@v2 with: @@ -109,6 +118,7 @@ jobs: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }} GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Get container info id: container_info @@ -125,6 +135,10 @@ jobs: docker logout docker logout ghcr.io + - name: Cleanup signing keys + if: ${{ always() }} + run: rm -f cosign.key + container-provenance: name: container-provenance needs: [release] @@ -177,6 +191,7 @@ jobs: run: | docker logout docker logout ghcr.io + rm -f cosign.key provenance: name: provenance diff --git a/.goreleaser.draft.yml b/.goreleaser.draft.yml index c99fddd2..5080a655 100644 --- a/.goreleaser.draft.yml +++ b/.goreleaser.draft.yml @@ -30,10 +30,15 @@ archives: files: - LICENSE* - README* + - cosign.pub + - dist/*.sig format_overrides: - goos: windows format: zip +checksum: + name_template: 'checksums.txt' + dockers: - goos: linux goarch: amd64 @@ -57,8 +62,57 @@ dockers: - "go.sum" - "cmd" - "lib" -checksum: - name_template: 'checksums.txt' + +signs: + - id: checksums + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + certificate: '${artifact}.pem' + output: true + artifacts: checksum + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + - id: binaries + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' + output: true + artifacts: binary + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + - id: archives + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' + output: true + artifacts: archive + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + +docker_signs: + - cmd: cosign + artifacts: manifests + output: true + args: + - 'sign' + - --key + - cosign.key + - '${artifact}' snapshot: name_template: "{{ .Version }}-next" @@ -75,3 +129,5 @@ changelog: release: draft: true prerelease: auto + extra_files: + - glob: "./cosign.pub" diff --git a/.goreleaser.yml b/.goreleaser.yml index a274937a..a419a7ad 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -30,10 +30,15 @@ archives: files: - LICENSE* - README* + - cosign.pub + - dist/*.sig format_overrides: - goos: windows format: zip +checksum: + name_template: 'checksums.txt' + dockers: - goos: linux goarch: amd64 @@ -57,8 +62,44 @@ dockers: - "go.sum" - "cmd" - "lib" -checksum: - name_template: 'checksums.txt' + +signs: + - id: checksums + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + certificate: '${artifact}.pem' + output: true + artifacts: checksum + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + - id: archives + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' + output: true + artifacts: archive + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + +docker_signs: + - cmd: cosign + artifacts: manifests + output: true + args: + - 'sign' + - --key + - cosign.key + - '${artifact}' snapshot: name_template: "{{ .Version }}-next" @@ -75,3 +116,5 @@ changelog: release: draft: false prerelease: auto + extra_files: + - glob: "./cosign.pub" From 885106c56e661d57ade041781604f04ef4821eb2 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Thu, 13 Jan 2022 10:25:22 +0100 Subject: [PATCH 2/8] Add signing of binaries Signed-off-by: Marco Franssen --- .goreleaser.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index a419a7ad..c2f4885b 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -77,6 +77,19 @@ signs: - '--output-certificate=${certificate}' - '--output-signature=${signature}' - '${artifact}' + - id: binaries + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' + output: true + artifacts: binary + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' - id: archives cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' From 940f3c52c7089711a9eb6b647bc8d3ba752c2cd2 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Thu, 13 Jan 2022 10:33:11 +0100 Subject: [PATCH 3/8] Bump goreleaser version in Makefile Signed-off-by: Marco Franssen --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 1ad9c66f..bdcf86d7 100644 --- a/Makefile +++ b/Makefile @@ -88,7 +88,7 @@ image: ## build the binary in a docker image . $(GO_PATH)/bin/goreleaser: - go install github.com/goreleaser/goreleaser@v0.182.1 + go install github.com/goreleaser/goreleaser@v1.2.5 .PHONY: snapshot-release snapshot-release: $(GO_PATH)/bin/goreleaser ## creates a snapshot release using goreleaser From 8cfdefdfcb438f21e2ce929be0918ed46201ac2b Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 14 Jan 2022 09:58:47 +0100 Subject: [PATCH 4/8] Remove certificates as we not use PKCS11 Signed-off-by: Marco Franssen --- .goreleaser.draft.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.goreleaser.draft.yml b/.goreleaser.draft.yml index 5080a655..297f4437 100644 --- a/.goreleaser.draft.yml +++ b/.goreleaser.draft.yml @@ -67,7 +67,7 @@ signs: - id: checksums cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' - certificate: '${artifact}.pem' + # certificate: '${artifact}.pem' output: true artifacts: checksum args: @@ -80,7 +80,7 @@ signs: - id: binaries cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' - certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' + # certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' output: true artifacts: binary args: @@ -93,7 +93,7 @@ signs: - id: archives cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' - certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' + # certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' output: true artifacts: archive args: From 6a643ba967715f9c9b2e1ee5dc6005d658c58031 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Thu, 13 Jan 2022 09:38:03 +0100 Subject: [PATCH 5/8] Bump version for release to v0.5.1-draft Signed-off-by: Marco Franssen --- .github/workflows/ci.yaml | 4 ++-- .github/workflows/example-publish.yaml | 2 +- README.md | 8 ++++---- action.yaml | 2 +- release.md | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1dd909f0..4c9e37f4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -156,7 +156,7 @@ jobs: cosign-release: 'v1.4.1' - name: Generate provenance for ${{ matrix.repo }} - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: container @@ -201,7 +201,7 @@ jobs: steps: - name: Generate provenance for Release - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: github-release diff --git a/.github/workflows/example-publish.yaml b/.github/workflows/example-publish.yaml index c700b8fb..a6b45c87 100644 --- a/.github/workflows/example-publish.yaml +++ b/.github/workflows/example-publish.yaml @@ -26,7 +26,7 @@ jobs: uses: actions/download-artifact@v2 - name: Generate provenance - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: files diff --git a/README.md b/README.md index f1049f88..8bd84aa5 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ See all available images [here.](https://hub.docker.com/r/philipssoftware/slsa-p Run the Docker image by doing: ```sh -docker run philipssoftware/slsa-provenance:v0.5.0 +docker run philipssoftware/slsa-provenance:v0.5.1-draft ``` **GitHub Container Registry** @@ -117,7 +117,7 @@ See all available images [here.](https://github.com/philips-labs/slsa-provenance Run the Docker image by doing: ```sh -docker run ghcr.io/philips-labs/slsa-provenance:v0.5.0 +docker run ghcr.io/philips-labs/slsa-provenance:v0.5.1-draft ``` The Docker image includes the working binary that can be executed by using the ``slsa-provenance`` command. @@ -145,7 +145,7 @@ The easiest way to use this action is to add the following into your workflow fi steps: - name: Generate provenance for Release - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: files @@ -180,7 +180,7 @@ The easiest way to use this action is to add the following into your workflow fi path: extra-materials/ - name: Generate provenance - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: files diff --git a/action.yaml b/action.yaml index fdeacf31..fdf13096 100644 --- a/action.yaml +++ b/action.yaml @@ -47,6 +47,6 @@ runs: run: | echo Running slsa-provenance with following arguments echo ${{ steps.compose-args.outputs.provenance_args }} - - uses: 'docker://ghcr.io/philips-labs/slsa-provenance:v0.5.0' + - uses: 'docker://ghcr.io/philips-labs/slsa-provenance:v0.5.1-draft' with: args: ${{ steps.compose-args.outputs.provenance_args }} diff --git a/release.md b/release.md index 77fd63a2..27b3aa9a 100644 --- a/release.md +++ b/release.md @@ -5,7 +5,7 @@ To make a new release you can make use of the following `make` task. ```bash -make gh-release NEW_VERSION=v0.6.0 OLD_VERSION=v0.5.0 DESCRIPTION="A test release to see how it works" +make gh-release NEW_VERSION=v0.6.0 OLD_VERSION=v0.5.1-draft DESCRIPTION="A test release to see how it works" ``` `NEW_VERSION` the version that you want to release. From f454e93e1dd8e77ba97562de6d65d625faf61524 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 14 Jan 2022 13:25:53 +0100 Subject: [PATCH 6/8] Fix to also sign the images Manifest only signs manifests, https://goreleaser.com/customization/docker_sign/ Signed-off-by: Marco Franssen --- .goreleaser.draft.yml | 2 +- .goreleaser.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.goreleaser.draft.yml b/.goreleaser.draft.yml index 297f4437..33d8fab0 100644 --- a/.goreleaser.draft.yml +++ b/.goreleaser.draft.yml @@ -106,7 +106,7 @@ signs: docker_signs: - cmd: cosign - artifacts: manifests + artifacts: all output: true args: - 'sign' diff --git a/.goreleaser.yml b/.goreleaser.yml index c2f4885b..0ad238ef 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -106,7 +106,7 @@ signs: docker_signs: - cmd: cosign - artifacts: manifests + artifacts: all output: true args: - 'sign' From 77360880a04024fd1103a08e4323153cc491f392 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 14 Jan 2022 13:30:51 +0100 Subject: [PATCH 7/8] Remove as pub key is already committed Signed-off-by: Marco Franssen --- .github/workflows/ci.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4c9e37f4..b8e1884c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -183,7 +183,6 @@ jobs: - name: Verify attestation run: | - echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} - name: Logout from Container registries From abc16c4af1f4de010f3861dc66d764757ab50c6f Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 14 Jan 2022 13:35:59 +0100 Subject: [PATCH 8/8] Remove the PKCS11 certs from signing Signed-off-by: Marco Franssen --- .goreleaser.draft.yml | 3 --- .goreleaser.yml | 3 --- 2 files changed, 6 deletions(-) diff --git a/.goreleaser.draft.yml b/.goreleaser.draft.yml index 33d8fab0..d7777648 100644 --- a/.goreleaser.draft.yml +++ b/.goreleaser.draft.yml @@ -67,7 +67,6 @@ signs: - id: checksums cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' - # certificate: '${artifact}.pem' output: true artifacts: checksum args: @@ -80,7 +79,6 @@ signs: - id: binaries cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' - # certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' output: true artifacts: binary args: @@ -93,7 +91,6 @@ signs: - id: archives cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' - # certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' output: true artifacts: archive args: diff --git a/.goreleaser.yml b/.goreleaser.yml index 0ad238ef..d8865219 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -67,7 +67,6 @@ signs: - id: checksums cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' - certificate: '${artifact}.pem' output: true artifacts: checksum args: @@ -80,7 +79,6 @@ signs: - id: binaries cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' - certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' output: true artifacts: binary args: @@ -93,7 +91,6 @@ signs: - id: archives cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD }}' - certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' output: true artifacts: archive args: