Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mirror signed release images from GCR to GHCR as part of release with… #1547

Merged
merged 1 commit into from
Mar 4, 2022
Merged

Mirror signed release images from GCR to GHCR as part of release with… #1547

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ GOLANGCI_LINT_BIN = $(GOLANGCI_LINT_DIR)/golangci-lint

KO_PREFIX ?= gcr.io/projectsigstore
export KO_DOCKER_REPO=$(KO_PREFIX)
GHCR_PREFIX ?= ghcr.io/sigstore/cosign
COSIGNED_YAML ?= cosign-$(GIT_TAG).yaml

.PHONY: all lint test clean cosign cross
Expand Down
3 changes: 2 additions & 1 deletion release/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ $ git push origin ${RELEASE_TAG}

```shell
$ gcloud builds submit --config <PATH_TO_CLOUDBUILD> \
--substitutions _GIT_TAG=${RELEASE_TAG},_TOOL_ORG=sigstore,_TOOL_REPO=cosign,_STORAGE_LOCATION=cosign-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME> \
--substitutions _GIT_TAG=${RELEASE_TAG},_TOOL_ORG=sigstore,_TOOL_REPO=cosign,_STORAGE_LOCATION=cosign-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME>,_GITHUB_USER=<GITHUB_USER> \
--project <GCP_PROJECT>
```

Expand All @@ -48,6 +48,7 @@ Where:
- `_KEY_NAME` key name of your cosign key.
- `_KEY_VERSION` version of the key stored in KMS. Default `1`.
- `_KEY_LOCATION` location in GCP where the key is stored. Default `global`.
- `_GITHUB_USER` GitHub user to authenticate for pushing to GHCR.


3. When the job finish, without issues, you should be able to see in GitHub a draft release.
Expand Down
25 changes: 25 additions & 0 deletions release/cloudbuild.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,30 @@ steps:
gcloud auth configure-docker \
&& make release

- name: gcr.io/cloud-builders/docker
entrypoint: 'bash'
dir: "go/src/sigstore/fulcio"
env:
- "GOPATH=/workspace/go"
- "GOBIN=/workspace/bin"
- PROJECT_ID=${PROJECT_ID}
- KEY_LOCATION=${_KEY_LOCATION}
- KEY_RING=${_KEY_RING}
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- KO_PREFIX=gcr.io/${PROJECT_ID}
- COSIGN_EXPERIMENTAL=true
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
- GITHUB_USER=${_GITHUB_USER}
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
&& make copy-signed-release-to-ghcr

availableSecrets:
secretManager:
- versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
Expand Down Expand Up @@ -96,3 +120,4 @@ substitutions:
_KEY_NAME: 'honk-crypto'
_KEY_VERSION: '1'
_KEY_LOCATION: 'global'
_GITHUB_USER: 'placeholder'
20 changes: 20 additions & 0 deletions release/release.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,23 @@ sign-keyless-release: sign-keyless-cosign-release sign-keyless-cosigned-release
.PHONY: snapshot
snapshot:
LDFLAGS="$(LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist --timeout 60m

####################
# copy image to GHCR
####################

.PHONY: copy-cosign-signed-release-to-ghcr
copy-cosign-signed-release-to-ghcr:
cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right now we are pushing the ci images to the following paths:

  • ghcr.io/sigstore/cosign/cosign for cosign
  • ghcr.io/sigstore/cosign/cosigned for cosigned
  • ghcr.io/sigstore/cosign/sget for sget

I think for now we might keeping push to those paths

I've copy the gcr image of v.1.6.0 today to the ghcr.io/sigstore/cosign/cosign

$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/sigstore/cosign/cosign:v1.6.0

Verification for ghcr.io/sigstore/cosign/cosign:v1.6.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"gcr.io/projectsigstore/cosign"},"image":{"docker-manifest-digest":"sha256:b667002156c4bf9fedd9273f689b800bb5c341660e710e3bbac981c9795423d9"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIQDKOjHLFQDrOfI0FGxaOUVcrvuh639SwV+4rhim2cg3ZAIgctpg49VMRpvKJ5ENfLuma6vcfaoxaWa6i8GaRhF/HLo=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2ZDI3N2QyMWNlNDJmODgzNjM0ZGYyMTM5MzhjNGUxOGYzNTI0N2I5OGZiYmZlY2ExNzY1MWE1MjQ1MjIxYmEwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNMOEJFKzdmeWJyNjZDK1RlNEs4NTBoNEFmb2dEand3WkhFaEtYQjkyL3RRSWdjS0luQkVkWHFoWHBYeDJWRFVjZmxwOUMxdlFrQXUwZHRIczdadEYzd213PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTk1WRU5EUVdKTFowRjNTVUpCWjBsVVkwdDNURWxSTUVGdGVISlZTRlZtVkhKaWJDOW9aM05YZEdwQlMwSm5aM0ZvYTJwUFVGRlJSRUY2UVhFS1RWSlZkMFYzV1VSV1VWRkxSWGQ0ZW1GWFpIcGtSemw1V2xNMWExcFlXWGhGVkVGUVFtZE9Wa0pCVFZSRFNFNXdXak5PTUdJelNteE5RalJZUkZSSmVRcE5SRTEzVGtSQk5FMVVTVEJQVm05WVJGUkplVTFFVFhkT1JFRTBUV3BKTUU5R2IzZEJSRUphVFVKTlIwSjVjVWRUVFRRNVFXZEZSME5EY1VkVFRUUTVDa0YzUlVoQk1FbEJRa2huVDBsSmJGUkRMMUpQUW1kVFNtbG9VMkZxYlRoVGNrdGtSRmcyYXk5a2VXZzFVMHRoYTNCWlVUSkxUR0ZUZFd3eGRrSTFMeThLVEVkVk1pOUlTM0JtZFV4VWRqZ3ZUaXRCTTI1R1lrVmhTakp1YlRGaFpXcG5aVUYzWjJRd2QwUm5XVVJXVWpCUVFWRklMMEpCVVVSQloyVkJUVUpOUndwQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOUVhkSFFURlZaRVYzUlVJdmQxRkRUVUZCZDBoUldVUldVakJQUWtKWlJVWkNZVE5XTTBOb0NrWkZZbk01V214SVowNTBhRlUwV1ZVeVlrUjBUVUk0UjBFeFZXUkpkMUZaVFVKaFFVWkdha0ZJYkN0U1VtRldiWEZZY2sxclMwZFVTWFJCY1hoaldEWUtUVVF3UjBFeFZXUkZVVVZDTDNkUmVrMUVSMEpNTW5Sc1pWZDRiR016VGtGalNFcDJZVzFXYW1SSVRuQmFNMDR3WWpOS2JFeHRiR2hpVXpWdVl6SldlUXBrYld4cVdsZEdhbGt5T1RGaWJsRjFXVEk1ZEUxRGEwZERhWE5IUVZGUlFtYzNPSGRCVVVWRlJ6Sm9NR1JJUW5wUGFUaDJXVmRPYW1JelZuVmtTRTExQ2xveU9YWmFNbmhzVEcxT2RtSlVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXdRVVJDYlVGcVJVRnROV013UWtSYVdVOXpNMDByZGxRd01DdDFXbEJXZDJnS1RHNXdORXB5TWs0dmFXTnpPV0ZLWXk5UFNrb3ZRa1JIWTIwMVMzRnFTVkYzZDFVeVR6UnBaRUZxUlVFNU9FeHlXR3RhUlhoaE1UWlFSM2t6VGxOVlJBcEZkakZpVUhGNU5tbzBaRkZCUzBzM1dXOVlXRlpNY0hkbU16SjBaSE5aWW14aFFYQnlVakZ0Y2sxTGJ3b3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0ifX19fQ==","integratedTime":1646381571,"logIndex":1556936,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"GIT_HASH":"4b2c3c0c8ee97f31b9dac3859b40e0a48b8648ee","GIT_VERSION":"v1.6.0","Issuer":"https://accounts.google.com","Subject":"[email protected]"}}]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for pointing out the current ghcr prefix.
changed it to ghcr.io/sigstore/cosign, to match the current behavior.

is this what we want for the other repos as well, ghcr.io/sigstore/fulcio/fulcio and ghcr.io/sigstore/rekor/rekor ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for fulcio we can keep ghcr.io/sigstore/fulcio
but for rekor we might do the similar from cosign because we have both rekor-server and cli

ghcr.io/sigstore/rekor/rekor-server
ghcr.io/sigstore/rekor/rekor-cli


.PHONY: copy-cosigned-signed-release-to-ghcr
copy-cosigned-signed-release-to-ghcr:
cosign copy $(KO_PREFIX)/cosigned:$(GIT_VERSION) $(GHCR_PREFIX)/cosigned:$(GIT_VERSION)

.PHONY: copy-sget-signed-release-to-ghcr
copy-sget-signed-release-to-ghcr:
cosign copy $(KO_PREFIX)/sget:$(GIT_VERSION) $(GHCR_PREFIX)/sget:$(GIT_VERSION)

.PHONY: copy-signed-release-to-ghcr
copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-cosigned-signed-release-to-ghcr copy-sget-signed-release-to-ghcr