sbom signing (#303)

Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2024-10-01 01:36:09 -04:00 · 2022-10-21 15:19:51 +02:00 · 2022-10-21 15:19:51 +02:00 · 18ae86c38e
commit 18ae86c38e
parent c1b4193791
15 changed files with 237 additions and 11 deletions
--- a/.github/actions/build_micro_service/action.yml
+++ b/.github/actions/build_micro_service/action.yml
@ -17,6 +17,15 @@ inputs:
  githubToken:
    description: "GitHub authorization token"
    required: true
  cosignPublicKey:
    description: "Cosign public key"
    required: false
  cosignPrivateKey:
    description: "Cosign private key"
    required: false
  cosignPassword:
    description: "Password for Cosign private key"
    required: false
 # Linux runner only (Docker required)
 runs:
@ -56,3 +65,12 @@ runs:
        tags: ${{ steps.meta.outputs.tags }}
        build-args: |
          PROJECT_VERSION=${{ inputs.projectVersion }}
    - name: Generate SBOM
      uses: ./.github/actions/container_sbom
      with:
        containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-micro-service.outputs.digest }}
        cosignPublicKey: ${{ inputs.cosignPublicKey }}
        cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
        cosignPassword: ${{ inputs.cosignPassword }}
      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
--- a/.github/actions/build_operator/action.yml
+++ b/.github/actions/build_operator/action.yml
@ -13,6 +13,15 @@ inputs:
  githubToken:
    description: "GitHub authorization token"
    required: true
  cosignPublicKey:
    description: "Cosign public key"
    required: false
  cosignPrivateKey:
    description: "Cosign private key"
    required: false
  cosignPassword:
    description: "Password for Cosign private key"
    required: false
 # Linux runner only (Docker required)
 runs:
@ -48,6 +57,7 @@ runs:
          type=ref,event=branch
    - name: Build and push container image
      id: build-image
      uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # tag=v3.2.0
      with:
        context: ${{ inputs.sourceDir }}
@ -55,6 +65,15 @@ runs:
        push: true
        tags: ${{ steps.meta.outputs.tags }}
    - name: Generate SBOM
      uses: ./.github/actions/container_sbom
      with:
        containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}@${{ steps.build-image.outputs.digest }}
        cosignPublicKey: ${{ inputs.cosignPublicKey }}
        cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
        cosignPassword: ${{ inputs.cosignPassword }}
      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
    - name: Bundle for pseudo version
      if: ${{ steps.pseudo-version.outputs.pseudoVersion != '' && inputs.pushTag == '' }}
      shell: bash
@ -84,6 +103,7 @@ runs:
          type=ref,event=branch
    - name: Build and push bundle image
      id: build-image-bundle
      uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # tag=v3.2.0
      with:
        context: ${{ inputs.sourceDir }}
@ -91,6 +111,16 @@ runs:
        push: true
        tags: ${{ steps.bundle-meta.outputs.tags }}
    - name: Generate Bundle SBOM
      uses: ./.github/actions/container_sbom
      with:
        containerReference: ghcr.io/${{ github.repository }}/${{ inputs.name }}-bundle@${{ steps.build-image-bundle.outputs.digest }}
        cosignPublicKey: ${{ inputs.cosignPublicKey }}
        cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
        cosignPassword: ${{ inputs.cosignPassword }}
      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
    - name: Build and push catalog for pseudo versions
      if: ${{ steps.pseudo-version.outputs.pseudoVersion != '' && inputs.pushTag == '' }}
      shell: bash
--- a/.github/actions/container_sbom/action.yml
+++ b/.github/actions/container_sbom/action.yml
@ -0,0 +1,51 @@
 name: Container SBOM
 description: Create, vuln-check, sign and upload SBOMs for container images.
 inputs:
  containerReference:
    description: "Full reference to container image, e.g., ghcr.io/org/repo/img:tag"
    required: true
  cosignPublicKey:
    description: "Cosign public key"
    required: true
  cosignPrivateKey:
    description: "Cosign private key"
    required: true
  cosignPassword:
    description: "Password for Cosign private key"
    required: true
 runs:
  using: "composite"
  steps:
    - name: Install Cosign
      uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # tag=v2.8.0
      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
    - name: Download syft & grype
      run: |
        SYFT_VERSION=0.59.0
        GRYPE_VERSION=0.51.0
        curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
        tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
        ./syft version
        curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
        tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
        ./grype version
        echo $(pwd) >> $GITHUB_PATH
      shell: bash
    - name: Generate SBOM
      run: |
        set -ex
        echo "$COSIGN_PRIVATE_KEY" > cosign.key
        syft attest --key cosign.key ${{ inputs.containerReference }} -o cyclonedx-json > container-image.att.json
        cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
        # TODO: type should be auto-discovered after issue is resolved:
        # https://github.com/sigstore/cosign/issues/2264
        cosign verify-attestation ${{ inputs.containerReference }} --type 'https://cyclonedx.org/bom' --key env://COSIGN_PUBLIC_KEY
        grype ${{ inputs.containerReference }} --fail-on high --only-fixed
      shell: bash
      env:
        # COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404
        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
--- a/.github/workflows/build-access-manager-image.yml
+++ b/.github/workflows/build-access-manager-image.yml
@ -37,3 +37,6 @@ jobs:
          projectVersion: "0.0.0"
          dockerfile: access_manager/Dockerfile
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
--- a/.github/workflows/build-constellation-node-operator.yml
+++ b/.github/workflows/build-constellation-node-operator.yml
@ -31,3 +31,6 @@ jobs:
          name: node-operator
          sourceDir: operators/constellation-node-operator
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
--- a/.github/workflows/build-joinservice-image.yml
+++ b/.github/workflows/build-joinservice-image.yml
@ -39,3 +39,6 @@ jobs:
          projectVersion: "0.0.0"
          dockerfile: joinservice/Dockerfile
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
--- a/.github/workflows/build-kms-image.yml
+++ b/.github/workflows/build-kms-image.yml
@ -38,3 +38,6 @@ jobs:
          projectVersion: "0.0.0"
          dockerfile: kms/Dockerfile
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
--- a/.github/workflows/build-micro-service-manual.yml
+++ b/.github/workflows/build-micro-service-manual.yml
@ -62,3 +62,6 @@ jobs:
          dockerfile: ${{ env.microServiceDockerfile }}
          pushTag: ${{ inputs.imageTag }}
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
--- a/.github/workflows/build-operator-manual.yml
+++ b/.github/workflows/build-operator-manual.yml
@ -5,6 +5,7 @@ on:
    inputs:
      imageTag:
        description: "Container image tag."
        required: false
 jobs:
  build-operator-manual:
@ -29,3 +30,6 @@ jobs:
          sourceDir: operators/constellation-node-operator
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          pushTag: ${{ inputs.imageTag }}
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
--- a/.github/workflows/build-verification-service.yml
+++ b/.github/workflows/build-verification-service.yml
@ -35,3 +35,6 @@ jobs:
          projectVersion: "0.0.0"
          dockerfile: verify/Dockerfile
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
--- a/.github/workflows/release-cli.yml
+++ b/.github/workflows/release-cli.yml
@ -71,20 +71,29 @@ jobs:
          AZURE_SUBSCRIPTION_ID=0d202bbb-4fa7-4af8-8125-58c269a05435 go run . > versions-manifest.json
          cat versions-manifest.json
-      - name: Build SBOMs
+      - name: Download syft & grype
        run: |
-          SYFT_VERSION=0.55.0
+          SYFT_VERSION=0.59.0
          GRYPE_VERSION=0.50.2
          curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
          tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
          ./syft version
-          ./syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
+          curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
-          CONTAINER_VERSION=${GITHUB_REF##*/}
+          tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
-          ./syft ghcr.io/edgelesssys/constellation/verification-service:${CONTAINER_VERSION} --file verification-service.spdx.sbom -o spdx-json
+          ./grype version
-          ./syft ghcr.io/edgelesssys/constellation/access-manager:${CONTAINER_VERSION} --file access-manager.spdx.sbom -o spdx-json
+          echo $(pwd) >> $GITHUB_PATH
-          ./syft ghcr.io/edgelesssys/constellation/join-service:${CONTAINER_VERSION} --file join-service.spdx.sbom -o spdx-json
+        shell: bash
-          ./syft ghcr.io/edgelesssys/constellation/kmsserver:${CONTAINER_VERSION} --file kmsserver.spdx.sbom -o spdx-json
+
-          ./syft ghcr.io/edgelesssys/constellation/node-operator:${CONTAINER_VERSION} --file node-operator.spdx.sbom -o spdx-json
+      - name: Build signed SBOMs
-        if: startsWith(github.ref, 'refs/tags/v')
+        run: |
          syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
          cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
          grype constellation.spdx.sbom --fail-on high --only-fixed
        env:
          COSIGN_EXPERIMENTAL: 1
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
      - name: Create release with artifacts
        # GitHub endorsed release project. See: https://github.com/actions/create-release
@ -96,4 +105,5 @@ jobs:
            build/constellation-*
            build/cosign.pub
            hack/build-manifest/versions-manifest.json
-            *.spdx.sbom
+            constellation.spdx.sbom
            constellation.spdx.sbom.sig
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -21,6 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Added
 - Sign generated SBOMs and store container image SBOMs in registry for easier usage.
 ### Changed
 <!-- For changes in existing functionality.  -->
--- a/docs/docs/workflows/sbom.md
+++ b/docs/docs/workflows/sbom.md
@ -0,0 +1,87 @@
 # Consume software bill of materials (SBOMs)
 Constellation builds produce a [software bill of materials (SBOM)](https://www.ntia.gov/SBOM) for each generated [artifact](../architecture/components.md).
 You can use SBOMs to make informed decisions about dependencies and vulnerabilities in a given application. Enterprises rely on SBOMs to maintain an inventory of used applications, which allows them to take data-driven approaches to managing risks related to vulnerabilities.
 SBOMs for Constellation are generated using [Syft](https://github.com/anchore/syft), signed using [Cosign](https://github.com/sigstore/cosign), and stored with the produced artifact.
 :::note
 The public key for Edgeless Systems' long-term code-signing key is:
 ```
 -----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
 JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
 -----END PUBLIC KEY-----
 ```
 The public key is also available for download at https://edgeless.systems/es.pub and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems).
 Make sure the key is available in a file named `cosign.pub` to execute the following examples.
 :::
 ## Verify and download SBOMs
 The following sections detail how to work with each type of artifact to verify and extract the SBOM.
 ### Constellation CLI
 The SBOM for Constellation CLI is made available on the [GitHub release page](https://github.com/edgelesssys/constellation/releases). The SBOM (`constellation.spdx.sbom`) and corresponding signature (`constellation.spdx.sbom.sig`) are valid for each Constellation CLI for a given version, regardless of architecture and operating system.
 ```bash
 curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom
 curl -LO https://github.com/edgelesssys/constellation/releases/download/v2.2.0/constellation.spdx.sbom.sig
 cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig constellation.spdx.sbom
 ```
 ### Container Images
 SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/cosign/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
 As a consumer, use cosign to download and verify the SBOM:
 ```bash
 # Verify and download the attestation statement
 cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.att.json
 # Extract SBOM from attestation statement
 jq -r .payload verification-service.att.json | base64 -d > verification-service.cyclonedx.sbom
 ```
 A successful verification should result in similar output:
 ```shell-session
 $ cosign verify-attestation ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --type 'https://cyclonedx.org/bom' --key cosign.pub --output-file verification-service.sbom
 Verification for ghcr.io/edgelesssys/constellation/verification-service@v2.2.0 --
 The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
 $ jq -r .payload verification-service.sbom | base64 -d > verification-service.cyclonedx.sbom
 ```
 :::note
 This example considers only the `verification-service`. The same approach works for all containers in the [Constellation container registry](https://github.com/orgs/edgelesssys/packages?repo_name=constellation).
 :::
 <!--
 TODO: Once mkosi is implemented
 ## Operating System
 -->
 ## Vulnerability scanning
 You can use a plethora of tools to consume SBOMs. This section provides suggestions for tools that are popular and known to produce reliable results, but any tool that consumes [SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) files should work.
 Syft is able to [convert between the two formats](https://github.com/anchore/syft#format-conversion-experimental) in case you require a specific type.
 ### Grype
 [Grype](https://github.com/anchore/grype) is a CLI tool that lends itself well for integration into CI/CD systems or local developer machines. It's also able to consume the signed attestation statement directly and does the verification in one go.
 ```bash
 grype att:verification-service.sbom --key cosign.pub --add-cpes-if-none -q
 ```
 ### Dependency Track
 [Dependency Track](https://dependencytrack.org/) is one of the oldest and most mature solutions when it comes to managing software inventory and vulnerabilities. Once imported, it continuously scans SBOMs for new vulnerabilities. It supports the CycloneDX format and provides direct guidance on how to comply with [U.S. Executive Order 14028](https://docs.dependencytrack.org/usage/executive-order-14028/).
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@ -168,6 +168,11 @@ const sidebars = {
          label: 'Use Azure trusted launch VMs',
          id: 'workflows/trusted-launch',
        },
        {
          type: 'doc',
          label: 'Consume SBOMs',
          id: 'workflows/sbom',
        },
        {
          type: 'doc',
          label: 'Troubleshooting',
--- a/docs/styles/Vocab/constellation/accept.txt
+++ b/docs/styles/Vocab/constellation/accept.txt
@ -18,6 +18,7 @@ Filestore
 Fulcio
 Mbps
 Gbps
 Grype
 iam
 IAM
 initramfs
@ -36,6 +37,7 @@ Rekor
 resizable
 rollout
 sigstore
 Syft
 systemd
 [Uu]nencrypted
 unspoofable