From 8383077a9bacf3fae938920e64492def774e96a6 Mon Sep 17 00:00:00 2001 From: Fabian Kammel Date: Mon, 4 Jul 2022 12:16:11 +0200 Subject: [PATCH] Sign CLI & create release on v* tag (#241) * Sign CLI & create release on v* tag * Extended description to mention new feature in this action Co-authored-by: Fabian Kammel --- .github/actions/build_cli/action.yml | 68 +++++++++++++++++++++++++--- .github/workflows/build-cli.yml | 4 ++ 2 files changed, 66 insertions(+), 6 deletions(-) diff --git a/.github/actions/build_cli/action.yml b/.github/actions/build_cli/action.yml index 98f9164ff..32769e0bf 100644 --- a/.github/actions/build_cli/action.yml +++ b/.github/actions/build_cli/action.yml @@ -1,5 +1,17 @@ name: build -description: "Runs cmake & default make target in build folder." +description: | + Runs cmake & default make target in build folder. Additionally, Sigstore tools + are used to sign CLI and publish a release when run on v* tag. +inputs: + cosign-public-key: + description: 'Cosign public key' + required: true + cosign-private-key: + description: 'Cosign private key' + required: true + cosign-password: + description: 'Password for Cosign private key' + required: true runs: using: "composite" steps: @@ -10,6 +22,17 @@ runs: build-essential cmake \ -y shell: bash + + # TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial + # once it has the functionality + - name: Install Cosign + uses: sigstore/cosign-installer@main + - name: Install Rekor + run: | + curl -LO https://github.com/sigstore/rekor/releases/download/v0.9.0/rekor-cli-linux-amd64 + sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli + shell: bash + # https://github.blog/2022-04-12-git-security-vulnerability-announced/ - name: Mark repository safe run: | @@ -20,6 +43,14 @@ runs: uses: actions/setup-go@v3 with: go-version: "1.18" + - name: Build hack/pcr-reader + run: | + go build . + echo "$(pwd)" >> $GITHUB_PATH + export PATH="$PATH:$(pwd)" + working-directory: hack/pcr-reader + shell: bash + - name: Build CLI run: | mkdir build @@ -29,10 +60,35 @@ runs: echo "$(pwd)" >> $GITHUB_PATH export PATH="$PATH:$(pwd)" shell: bash - - name: Build hack/pcr-reader + + - name: Sign CLI run: | - cd hack/pcr-reader/ - go build . - echo "$(pwd)" >> $GITHUB_PATH - export PATH="$PATH:$(pwd)" + set -e + set -o pipefail + echo "$COSIGN_PUBLIC_KEY" > cosign.pub + # Enabling experimental mode also publishes signature to Rekor + COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig + # Verify - As documentation & check + # Local Signature (input: artifact, key, signature) + cosign verify-blob --key cosign.pub --signature constellation.sig constellation + # Transparency Log Signature (input: artifact, key) + uuid=$(rekor-cli search --artifact constellation | tail -n 1) + sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content) + cosign verify-blob --key cosign.pub --signature <(echo $sig) constellation shell: bash + working-directory: build + env: + COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }} + COSIGN_PRIVATE_KEY: ${{ inputs.cosign-private-key }} + COSIGN_PASSWORD: ${{ inputs.cosign-password }} + + - name: Release CLI + # GitHub endorsed release project. See: https://github.com/actions/create-release + uses: softprops/action-gh-release@v1 + if: startsWith(github.ref, 'refs/tags/v') + with: + draft: true + files: | + constellation + constellation.sig + cosign.pub diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index df4105071..dc34ff9f3 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -23,3 +23,7 @@ jobs: - name: Build cli uses: ./.github/actions/build_cli + with: + cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }} + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }}