philips-labs · Brend-Smits · Mar 2, 2022 · Mar 2, 2022 · marcofranssen · Mar 2, 2022
@@ -70,6 +70,10 @@ jobs:
       container_repos: ${{ steps.container_info.outputs.container_repos }}
 
     runs-on: ubuntu-20.04
+    permissions:
+      packages: write
+      id-token: write
+      contents: write
 
     steps:
       - name: Set up Go
@@ -124,6 +128,7 @@ jobs:
           LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
           GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_EXPERIMENTAL: 1
 
       - name: Get container info
         id: container_info
@@ -149,6 +154,10 @@ jobs:
     needs: [release]
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-20.04
+    permissions:
+      packages: write
+      id-token: write
+      contents: write
     env:
       TAGS: "${{ needs.release.outputs.container_tags }}"
 
@@ -172,30 +181,31 @@ jobs:
 
       - name: Attach SBOM
         env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_EXPERIMENTAL: 1
         run: |
-          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
-          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
           IFS=,
           for t in ${TAGS}; do
-            cosign verify --key cosign.pub ${{ matrix.repo }}:${t}
+            cosign verify ${{ matrix.repo }}:${t}
             syft ${{ matrix.repo }}:${t} -o spdx-json > sbom-spdx.json
-            cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ${{ matrix.repo }}:${t}
-            cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${{ matrix.repo }}:${t}
+            cosign attest --predicate sbom-spdx.json --type spdx ${{ matrix.repo }}:${t}
+            cosign verify-attestation -o verified-sbom-spdx.json ${{ matrix.repo }}:${t}
           done
 
       - name: Clean up & Logout from Container registries
         if: ${{ always() }}
         run: |
           docker logout
           docker logout ghcr.io
-          rm -f cosign.key
 
   provenance:
     name: provenance
     needs: [release]
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-20.04
+    permissions:
+      packages: write
+      id-token: write
+      contents: write
 
     steps:
       - name: Generate provenance for Release
@@ -214,8 +224,7 @@ jobs:
 
       - name: Sign provenance
         run: |
-          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
-          cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
+          cosign sign-blob --output-signature "${SIGNATURE}" provenance.att
           cat "${SIGNATURE}"
 
           curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
@@ -229,14 +238,18 @@ jobs:
             "https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_EXPERIMENTAL: 1
           SIGNATURE: provenance.att.sig
 
   container-provenance:
     name: container-provenance
     needs: [release]
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-20.04
+    permissions:
+      packages: write
+      id-token: write
+      contents: write
 
     strategy:
       matrix:
@@ -269,19 +282,16 @@ jobs:
 
       - name: Attach provenance to image
         run: |
-          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
-          cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
+          cosign attest --predicate provenance-predicate.att --type slsaprovenance ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Verify attestation
         run: |
-          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
-          cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
+          cosign verify-attestation ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
 
       - name: Logout from Container registries
         if: ${{ always() }}
         run: |
           docker logout
           docker logout ghcr.io
-          rm -f cosign.key
@@ -6,6 +6,7 @@ before:
 
 env:
   - CGO_ENABLED=0
+  - COSIGN_EXPERIMENTAL=1
 
 builds:
   - id: binary
@@ -82,8 +83,6 @@ signs:
     artifacts: checksum
     args:
       - sign-blob
-      - --key
-      - cosign.key
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -94,8 +93,6 @@ signs:
     artifacts: binary
     args:
       - sign-blob
-      - --key
-      - cosign.key
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -106,8 +103,6 @@ signs:
     artifacts: archive
     args:
       - sign-blob
-      - --key
-      - cosign.key
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -118,8 +113,6 @@ signs:
     artifacts: sbom
     args:
       - sign-blob
-      - --key
-      - cosign.key
       - '--output-certificate=${certificate}'
       - '--output-signature=${signature}'
       - '${artifact}'
@@ -130,8 +123,6 @@ docker_signs:
     output: true
     args:
       - 'sign'
-      - --key
-      - cosign.key
       - '${artifact}'
 
 snapshot:
@@ -150,7 +141,5 @@ changelog:
 release:
   draft: true
   prerelease: auto
-  extra_files:
-    - glob: "./cosign.pub"
   footer: |
     **Full Changelog**: https://github.com/philips-labs/slsa-provenance-action/compare/{{ .PreviousTag }}...{{ .Tag }}
@@ -130,8 +130,6 @@ docker_signs:
     output: true
     args:
       - 'sign'
-      - --key
-      - cosign.key
       - '${artifact}'
 
 snapshot: