Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

release: use cosign sign-blob in non-interative mode (#2953)

Browse Source
This commit is contained in:
Malte Poll 2024-02-29 09:40:13 +01:00 committed by GitHub
parent 0b6eeb3747
commit 93eb8f0694
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/build_cli/action.yml vendored
View File

@ -104,7 +104,7 @@ runs:
run: | run: |
echo "$COSIGN_PUBLIC_KEY" > cosign.pub echo "$COSIGN_PUBLIC_KEY" > cosign.pub
# Enabling experimental mode also publishes signature to Rekor # Enabling experimental mode also publishes signature to Rekor
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY "${OUTPUT_PATH}" > "${OUTPUT_PATH}.sig" COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY "${OUTPUT_PATH}" > "${OUTPUT_PATH}.sig"
# Verify - As documentation & check # Verify - As documentation & check
# Local Signature (input: artifact, key, signature) # Local Signature (input: artifact, key, signature)
cosign verify-blob --key cosign.pub --signature "${OUTPUT_PATH}.sig" "${OUTPUT_PATH}" cosign verify-blob --key cosign.pub --signature "${OUTPUT_PATH}.sig" "${OUTPUT_PATH}"

2
.github/workflows/draft-release.yml vendored
View File

@ -287,7 +287,7 @@ jobs:
- name: Build signed SBOM - name: Build signed SBOM
run: | run: |
syft build/constellation-linux-amd64 --catalogers go-module --file constellation.spdx.sbom -o spdx-json syft build/constellation-linux-amd64 --catalogers go-module --file constellation.spdx.sbom -o spdx-json
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
grype constellation.spdx.sbom --fail-on high --only-fixed --add-cpes-if-none grype constellation.spdx.sbom --fail-on high --only-fixed --add-cpes-if-none
env: env:
COSIGN_EXPERIMENTAL: 1 COSIGN_EXPERIMENTAL: 1

4
rfc/003-secure-software-distribution.md
View File

@ -69,7 +69,7 @@ This keypair could also be backed-up onto USB stick / SD card.
# COSIGN_PRIVATE_KEY= # COSIGN_PRIVATE_KEY=
# COSIGN_PUBLIC_KEY= # COSIGN_PUBLIC_KEY=
go build constellation go build constellation
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY constellation > constellation.sig
# We provide: cosign.pub, constellation.sig, constellation # We provide: cosign.pub, constellation.sig, constellation
echo "$COSIGN_PUBLIC_KEY" > cosign.pub echo "$COSIGN_PUBLIC_KEY" > cosign.pub
cosign verify-blob --key cosign.pub --signature constellation.sig constellation cosign verify-blob --key cosign.pub --signature constellation.sig constellation
@ -130,7 +130,7 @@ measurements:
# Set these beforehand! # Set these beforehand!
# COSIGN_PASSWORD= # COSIGN_PASSWORD=
# COSIGN_PRIVATE_KEY= # COSIGN_PRIVATE_KEY=
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key cosign.key measurements.yaml > measurements.yaml.sig COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes --key cosign.key measurements.yaml > measurements.yaml.sig
``` ```
```mermaid ```mermaid