feat: add cosign signature via goreleaser

vdbulcke · Mar 4, 2023 · e45d149 · e45d149
1 parent eb9b418
commit e45d149
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 24 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,6 +15,7 @@ permissions:
   contents: write
   ## for ghcr.io registry 
   packages: write
+  id-token: write # needed for signing the images with GitHub OIDC Token
 
 env:
   REGISTRY: ghcr.io
@@ -29,17 +30,16 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.18
+          go-version-file: go.mod
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+
 
-      # - name: dockerhub-login
-      #   uses: docker/login-action@v1
-      #   with:
-      #     username: ${{ secrets.DOCKER_USERNAME }}
-      #     password: ${{ secrets.DOCKER_PASSWORD }}
       -
         name: Login to GitHub Container Registry
         uses: docker/login-action@v2
@@ -55,8 +55,11 @@ jobs:
           # either 'goreleaser' (default) or 'goreleaser-pro'
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ## Cosign ENV Vars
+          COSIGN_EXPERIMENTAL: 1
+          COSIGN_YES: true
           # Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution
           # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -21,16 +21,27 @@ builds:
       # - 386
     ldflags:
       ## auto inject commit and version at build time
-      - -X github.com/vdbulcke/cert-monitor/cmd.GitCommit={{ .ShortCommit }} -X github.com/vdbulcke/cert-monitor/cmd.Version={{ .Version }}  -X github.com/vdbulcke/cert-monitor/cmd.Date={{ .CommitDate }} -X github.com/vdbulcke/cert-monitor/cmd.BuiltBy=goreleaser
+      - -X github.com/vdbulcke/cert-monitor/cmd.GitCommit={{ .ShortCommit }} 
+      - -X github.com/vdbulcke/cert-monitor/cmd.Version={{ .Version }} 
+      - -X github.com/vdbulcke/cert-monitor/cmd.Date={{ .CommitDate }} 
+      - -X github.com/vdbulcke/cert-monitor/cmd.BuiltBy=goreleaser
 archives:
   - 
-    replacements:
-      ## Rewrite Archive name 
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-      386: i386
-      amd64: x86_64
+    ## Deprecated "replacements"
+    # replacements:
+    #   ## Rewrite Archive name 
+    #   darwin: Darwin
+    #   linux: Linux
+    #   windows: Windows
+    #   386: i386
+    #   amd64: x86_64
+    name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
     ## use zip for windows release
     format_overrides:
       - goos: windows
@@ -88,6 +99,34 @@ dockers:
     image_templates:
     - "ghcr.io/vdbulcke/cert-monitor:v{{ .Version }}"
 
+
+##
+## Cosign
+##
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    certificate: '${artifact}.pem'
+    output: true
+    args: 
+      - "sign-blob"
+      - "--oidc-issuer=https://token.actions.githubusercontent.com" 
+      - "--output-certificate=${artifact}.pem"
+      - "--output-signature=${artifact}.sig" 
+      - "${artifact}"
+    artifacts: all
+
+docker_signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  artifacts: all
+  output: true
+  args:
+  - 'sign'
+  - "--oidc-issuer=https://token.actions.githubusercontent.com" 
+  - '${artifact}'
+
 release:
   ## set github header and footer
   header: |
@@ -98,6 +137,13 @@ release:
     docker pull ghcr.io/vdbulcke/cert-monitor:v{{ .Version }}
     ```
 
+    ### Validate Cosign Signature 
+
+
+    ```bash
+    cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com  --certificate-identity  "https://github.com/vdbulcke/cert-monitor/.github/workflows/release.yaml@refs/tags/v{{ .Version }}"  ghcr.io/vdbulcke/cert-monitor:v{{ .Version }}
+    ```
+
   # # Footer template for the release body.
   # # Defaults to empty.
   # footer: |

diff --git a/Makefile b/Makefile
@@ -9,26 +9,26 @@ test:
 	cd certmonitor/ && go test -run ''
 
 scan: 
-	go list -json -deps |  nancy sleuth	
+	trivy fs .
 
 
 build: 
-	goreleaser build --rm-dist
+	goreleaser build --clean
 
 
 build-snapshot: 
-	goreleaser build --rm-dist --snapshot --single-target
+	goreleaser build --clean --snapshot --single-target
 
 
 
 release-skip-publish: 
-	goreleaser release --rm-dist --skip-publish 
+	goreleaser release --clean --skip-publish  --skip-sign
 
 release-snapshot: 
-	goreleaser release --rm-dist --skip-publish --snapshot
+	goreleaser release --clean --skip-publish --snapshot --skip-sign
 
 gen-doc: 
-	goreleaser build --rm-dist --snapshot
+	goreleaser build --clean --snapshot
 	./dist/cert-monitor_linux_amd64/cert-monitor documentation --dir ./doc
 
 .PHONY: changelog