-
Notifications
You must be signed in to change notification settings - Fork 54
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This works by getting the artifacts from the repo and checking their signatures. If those fail, it will try to resign the artifacts automatically and push those signatures. Signed-off-by: Itxaka <igarcia@suse.com>
- Loading branch information
Itxaka
committed
Dec 22, 2021
1 parent
24764f2
commit 2833d6e
Showing
2 changed files
with
167 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
package main | ||
|
||
import ( | ||
"fmt" | ||
"github.com/mudler/luet/pkg/api/client" | ||
"github.com/mudler/luet/pkg/api/core/types" | ||
"github.com/mudler/luet/pkg/installer" | ||
"io/ioutil" | ||
"os" | ||
"os/exec" | ||
) | ||
|
||
func getRepositoryPackages(repo string, ctx *types.Context) (searchResult client.SearchResult) { | ||
tmpdir, err := ioutil.TempDir(os.TempDir(), "ci") | ||
if err != nil { | ||
panic(err) | ||
} | ||
defer os.RemoveAll(tmpdir) | ||
referenceID := os.Getenv("REFERENCEID") | ||
if referenceID == "" { | ||
referenceID = "repository.yaml" | ||
} | ||
d := installer.NewSystemRepository(types.LuetRepository{ | ||
Name: "cOS", | ||
Type: "docker", | ||
Cached: true, | ||
Urls: []string{repo}, | ||
ReferenceID: referenceID, | ||
}) | ||
ctx.Config.GetSystem().Rootfs = "/" | ||
ctx.Config.GetSystem().TmpDirBase = tmpdir | ||
re, err := d.Sync(ctx, false) | ||
if err != nil { | ||
panic(err) | ||
} else { | ||
for _, p := range re.GetTree().GetDatabase().World() { | ||
searchResult.Packages = append(searchResult.Packages, client.Package{ | ||
Name: p.GetName(), | ||
Category: p.GetCategory(), | ||
Version: p.GetVersion(), | ||
}) | ||
} | ||
return | ||
} | ||
} | ||
|
||
func main() { | ||
// We want to be cool and keep the same format as luet, so we create the context here to pass around and use the logging functions | ||
ctx := types.NewContext() | ||
finalRepo := os.Getenv("FINAL_REPO") | ||
if finalRepo == "" { | ||
ctx.Error("A container repository must be specified with FINAL_REPO") | ||
os.Exit(1) | ||
} | ||
cosignRepo := os.Getenv("COSIGN_REPOSITORY") | ||
if cosignRepo == "" { | ||
ctx.Error("A signature repository must be specified with COSIGN_REPOSITORY") | ||
os.Exit(1) | ||
} | ||
packages := getRepositoryPackages(finalRepo, ctx) | ||
for _, val := range packages.Packages { | ||
imageTag := fmt.Sprintf("%s:%s", finalRepo, val.ImageTag()) | ||
checkAndSign(imageTag, ctx) | ||
} | ||
return | ||
} | ||
|
||
func checkAndSign(tag string, ctx *types.Context) { | ||
var fulcioFlag string | ||
|
||
ctx.Info("Checking artifact", tag) | ||
tmpDir, _ := os.MkdirTemp("", "sign-*") | ||
defer os.RemoveAll(tmpDir) | ||
|
||
_ = os.Setenv("TUF_ROOT", tmpDir) // TUF_DIR per run, we dont want to access the same files as another process | ||
_ = os.Setenv("COSIGN_EXPERIMENTAL", "1") // Set keyless verify/sign | ||
|
||
fulcioURL := os.Getenv("FULCIO_URL") // Allow to set a fulcio url | ||
if fulcioURL != "" { | ||
fulcioFlag = fmt.Sprintf("--fulcio-url=%s", fulcioURL) | ||
} | ||
|
||
_, err := exec.Command("cosign", "verify", tag).CombinedOutput() | ||
if err != nil { | ||
ctx.Warning("Artifact", tag, "has no signature, signing it") | ||
out, err := exec.Command("cosign", fulcioFlag, "sign", tag).CombinedOutput() | ||
if err != nil { | ||
ctx.Error("Error signing", tag, ":", string(out)) | ||
} else { | ||
ctx.Success("Artifact", tag, "signed") | ||
} | ||
} else { | ||
ctx.Success("Artifact", tag, "has signature") | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
name: resigner | ||
on: | ||
workflow_dispatch: | ||
inputs: | ||
final-repo: | ||
required: false | ||
default: quay.io/costoolkit/releases-green | ||
type: string | ||
description: Repo to check artifacts for signatures | ||
cosign-repository: | ||
required: false | ||
default: raccos/releases-green | ||
type: string | ||
description: Repo that contains the signatures for the final_repo | ||
fulcio-url: | ||
required: false | ||
default: "" | ||
type: string | ||
description: Set a fulcio url for the signing part. LEave empty to use cosign default url.. | ||
reference-id: | ||
required: false | ||
default: "repository.yaml" | ||
type: string | ||
description: Name of the repository.yaml that will be downloaded. | ||
cosign-version: | ||
required: false | ||
default: "v1.4.1" | ||
type: string | ||
description: Cosign version to install and use | ||
concurrency: | ||
group: ci-sign-${{ github.head_ref || github.ref }}-${{ github.repository }} | ||
cancel-in-progress: true | ||
jobs: | ||
resign: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
id-token: write # OIDC support | ||
env: | ||
FINAL_REPO: ${{ github.event.inputs.final-repo }} | ||
COSIGN_REPOSITORY: ${{ github.event.inputs.cosign-repository }} | ||
FULCIO_URL: ${{ github.event.inputs.fulcio-url }} | ||
REFERENCEID: ${{ github.event.inputs.reference-id }} | ||
steps: | ||
- name: Install Cosign | ||
uses: sigstore/cosign-installer@main | ||
with: | ||
cosign-release: ${{ github.event.inputs.cosign-version }} | ||
- name: Install Go | ||
uses: actions/setup-go@v2 | ||
with: | ||
go-version: '^1.16' | ||
- uses: actions/checkout@v2 | ||
- run: | | ||
git fetch --prune --unshallow | ||
- name: Login to Docker Hub | ||
uses: docker/login-action@v1 | ||
with: | ||
username: ${{ secrets.DOCKER_USERNAME }} | ||
password: ${{ secrets.DOCKER_PASSWORD }} | ||
- name: Login to Quay.io | ||
uses: docker/login-action@v1 | ||
with: | ||
registry: quay.io | ||
username: ${{ secrets.QUAY_USERNAME }} | ||
password: ${{ secrets.QUAY_PASSWORD }} | ||
- name: Resign | ||
run: | | ||
export PATH=$PATH:/usr/local/go/bin | ||
pushd ./.github | ||
go build -o resign resign.go | ||
popd | ||
sudo -E ./.github/resign |