From 5671ef87c52b6fdbf1bca7aee3c553b989310ec3 Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Wed, 14 Feb 2024 21:19:50 +0100 Subject: [PATCH] sign binaries and images with sigstore cosign (#207) also generate sboms for archives and packages Signed-off-by: cpanato --- .github/workflows/release.yaml | 10 +++--- .goreleaser.yaml | 25 ++++++++++++++ cmd/goreleaser/internal/configure.go | 49 +++++++++++++++++++++++++++- 3 files changed, 79 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 34e230a9..40bae7a6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -30,7 +30,9 @@ jobs: with: fetch-depth: 0 - - uses: sigstore/cosign-installer@v2 + - uses: sigstore/cosign-installer@v3 + + - uses: anchore/sbom-action/download-syft@v0.14.3 - uses: docker/setup-qemu-action@v3 with: @@ -73,7 +75,7 @@ jobs: GOOS: ${{ matrix.GOOS }} GOARCH: ${{ matrix.GOARCH }} GITHUB_TOKEN: ${{ secrets.GH_PAT }} - COSIGN_EXPERIMENTAL: true + COSIGN_YES: true GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} - uses: actions/upload-artifact@v3 @@ -96,7 +98,7 @@ jobs: with: fetch-depth: 0 - - uses: sigstore/cosign-installer@v2 + - uses: sigstore/cosign-installer@v3 - uses: anchore/sbom-action/download-syft@v0.15.8 @@ -134,5 +136,5 @@ jobs: args: continue --merge --timeout 2h env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_EXPERIMENTAL: true + COSIGN_YES: true GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 8aa83f68..e87f6756 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -1,6 +1,8 @@ partial: by: target project_name: opentelemetry-collector-releases +env: + - COSIGN_YES=true builds: - id: otelcol goos: @@ -430,3 +432,26 @@ docker_manifests: - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-arm64 - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-ppc64le - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-s390x + +signs: + - cmd: cosign + args: + - sign-blob + - --output-signature + - ${artifact}.sig + - --output-certificate + - ${artifact}.pem + - ${artifact} + signature: ${artifact}.sig + artifacts: all + certificate: ${artifact}.pem +docker_signs: + - args: + - sign + - ${artifact} + artifacts: all +sboms: + - id: archive + artifacts: archive + - id: package + artifacts: package diff --git a/cmd/goreleaser/internal/configure.go b/cmd/goreleaser/internal/configure.go index aa6792bb..a81de8fd 100644 --- a/cmd/goreleaser/internal/configure.go +++ b/cmd/goreleaser/internal/configure.go @@ -42,12 +42,15 @@ func Generate(imagePrefixes []string, dists []string) config.Project { Checksum: config.Checksum{ NameTemplate: "{{ .ProjectName }}_checksums.txt", }, - + Env: []string{"COSIGN_YES=true"}, Builds: Builds(dists), Archives: Archives(dists), NFPMs: Packages(dists), Dockers: DockerImages(imagePrefixes, dists), DockerManifests: DockerManifests(imagePrefixes, dists), + Signs: Sign(), + DockerSigns: DockerSigns(), + SBOMs: SBOM(), } } @@ -254,3 +257,47 @@ func archName(arch, armVersion string) string { return arch } } + +func Sign() []config.Sign { + return []config.Sign{ + { + Artifacts: "all", + Signature: "${artifact}.sig", + Certificate: "${artifact}.pem", + Cmd: "cosign", + Args: []string{ + "sign-blob", + "--output-signature", + "${artifact}.sig", + "--output-certificate", + "${artifact}.pem", + "${artifact}", + }, + }, + } +} + +func DockerSigns() []config.Sign { + return []config.Sign{ + { + Artifacts: "all", + Args: []string{ + "sign", + "${artifact}", + }, + }, + } +} + +func SBOM() []config.SBOM { + return []config.SBOM{ + { + ID: "archive", + Artifacts: "archive", + }, + { + ID: "package", + Artifacts: "package", + }, + } +}