Skip to content

Commit

Permalink
sign binaries and images with sigstore cosign (#207)
Browse files Browse the repository at this point in the history
also generate sboms for archives and packages

Signed-off-by: cpanato <ctadeu@gmail.com>
  • Loading branch information
cpanato authored Feb 14, 2024
1 parent a4aba56 commit 5671ef8
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 5 deletions.
10 changes: 6 additions & 4 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,9 @@ jobs:
with:
fetch-depth: 0

- uses: sigstore/cosign-installer@v2
- uses: sigstore/cosign-installer@v3

- uses: anchore/sbom-action/download-syft@v0.14.3

- uses: docker/setup-qemu-action@v3
with:
Expand Down Expand Up @@ -73,7 +75,7 @@ jobs:
GOOS: ${{ matrix.GOOS }}
GOARCH: ${{ matrix.GOARCH }}
GITHUB_TOKEN: ${{ secrets.GH_PAT }}
COSIGN_EXPERIMENTAL: true
COSIGN_YES: true
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

- uses: actions/upload-artifact@v3
Expand All @@ -96,7 +98,7 @@ jobs:
with:
fetch-depth: 0

- uses: sigstore/cosign-installer@v2
- uses: sigstore/cosign-installer@v3

- uses: anchore/sbom-action/download-syft@v0.15.8

Expand Down Expand Up @@ -134,5 +136,5 @@ jobs:
args: continue --merge --timeout 2h
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_EXPERIMENTAL: true
COSIGN_YES: true
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
25 changes: 25 additions & 0 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
partial:
by: target
project_name: opentelemetry-collector-releases
env:
- COSIGN_YES=true
builds:
- id: otelcol
goos:
Expand Down Expand Up @@ -430,3 +432,26 @@ docker_manifests:
- ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-arm64
- ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-ppc64le
- ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-s390x

signs:
- cmd: cosign
args:
- sign-blob
- --output-signature
- ${artifact}.sig
- --output-certificate
- ${artifact}.pem
- ${artifact}
signature: ${artifact}.sig
artifacts: all
certificate: ${artifact}.pem
docker_signs:
- args:
- sign
- ${artifact}
artifacts: all
sboms:
- id: archive
artifacts: archive
- id: package
artifacts: package
49 changes: 48 additions & 1 deletion cmd/goreleaser/internal/configure.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,15 @@ func Generate(imagePrefixes []string, dists []string) config.Project {
Checksum: config.Checksum{
NameTemplate: "{{ .ProjectName }}_checksums.txt",
},

Env: []string{"COSIGN_YES=true"},
Builds: Builds(dists),
Archives: Archives(dists),
NFPMs: Packages(dists),
Dockers: DockerImages(imagePrefixes, dists),
DockerManifests: DockerManifests(imagePrefixes, dists),
Signs: Sign(),
DockerSigns: DockerSigns(),
SBOMs: SBOM(),
}
}

Expand Down Expand Up @@ -254,3 +257,47 @@ func archName(arch, armVersion string) string {
return arch
}
}

func Sign() []config.Sign {
return []config.Sign{
{
Artifacts: "all",
Signature: "${artifact}.sig",
Certificate: "${artifact}.pem",
Cmd: "cosign",
Args: []string{
"sign-blob",
"--output-signature",
"${artifact}.sig",
"--output-certificate",
"${artifact}.pem",
"${artifact}",
},
},
}
}

func DockerSigns() []config.Sign {
return []config.Sign{
{
Artifacts: "all",
Args: []string{
"sign",
"${artifact}",
},
},
}
}

func SBOM() []config.SBOM {
return []config.SBOM{
{
ID: "archive",
Artifacts: "archive",
},
{
ID: "package",
Artifacts: "package",
},
}
}

0 comments on commit 5671ef8

Please sign in to comment.