Skip to content

Commit

Permalink
Add resigner and workflow to resign
Browse files Browse the repository at this point in the history
This works by getting the artifacts from the repo and checking their
signatures. If those fail, it will try to resign the artifacts
automatically and push those signatures.

Signed-off-by: Itxaka <igarcia@suse.com>
  • Loading branch information
Itxaka committed Dec 22, 2021
1 parent 24764f2 commit 2833d6e
Show file tree
Hide file tree
Showing 2 changed files with 167 additions and 0 deletions.
95 changes: 95 additions & 0 deletions .github/resign.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
package main

import (
"fmt"
"github.com/mudler/luet/pkg/api/client"
"github.com/mudler/luet/pkg/api/core/types"
"github.com/mudler/luet/pkg/installer"
"io/ioutil"
"os"
"os/exec"
)

func getRepositoryPackages(repo string, ctx *types.Context) (searchResult client.SearchResult) {
tmpdir, err := ioutil.TempDir(os.TempDir(), "ci")
if err != nil {
panic(err)
}
defer os.RemoveAll(tmpdir)
referenceID := os.Getenv("REFERENCEID")
if referenceID == "" {
referenceID = "repository.yaml"
}
d := installer.NewSystemRepository(types.LuetRepository{
Name: "cOS",
Type: "docker",
Cached: true,
Urls: []string{repo},
ReferenceID: referenceID,
})
ctx.Config.GetSystem().Rootfs = "/"
ctx.Config.GetSystem().TmpDirBase = tmpdir
re, err := d.Sync(ctx, false)
if err != nil {
panic(err)
} else {
for _, p := range re.GetTree().GetDatabase().World() {
searchResult.Packages = append(searchResult.Packages, client.Package{
Name: p.GetName(),
Category: p.GetCategory(),
Version: p.GetVersion(),
})
}
return
}
}

func main() {
// We want to be cool and keep the same format as luet, so we create the context here to pass around and use the logging functions
ctx := types.NewContext()
finalRepo := os.Getenv("FINAL_REPO")
if finalRepo == "" {
ctx.Error("A container repository must be specified with FINAL_REPO")
os.Exit(1)
}
cosignRepo := os.Getenv("COSIGN_REPOSITORY")
if cosignRepo == "" {
ctx.Error("A signature repository must be specified with COSIGN_REPOSITORY")
os.Exit(1)
}
packages := getRepositoryPackages(finalRepo, ctx)
for _, val := range packages.Packages {
imageTag := fmt.Sprintf("%s:%s", finalRepo, val.ImageTag())
checkAndSign(imageTag, ctx)
}
return
}

func checkAndSign(tag string, ctx *types.Context) {
var fulcioFlag string

ctx.Info("Checking artifact", tag)
tmpDir, _ := os.MkdirTemp("", "sign-*")
defer os.RemoveAll(tmpDir)

_ = os.Setenv("TUF_ROOT", tmpDir) // TUF_DIR per run, we dont want to access the same files as another process
_ = os.Setenv("COSIGN_EXPERIMENTAL", "1") // Set keyless verify/sign

fulcioURL := os.Getenv("FULCIO_URL") // Allow to set a fulcio url
if fulcioURL != "" {
fulcioFlag = fmt.Sprintf("--fulcio-url=%s", fulcioURL)
}

_, err := exec.Command("cosign", "verify", tag).CombinedOutput()
if err != nil {
ctx.Warning("Artifact", tag, "has no signature, signing it")
out, err := exec.Command("cosign", fulcioFlag, "sign", tag).CombinedOutput()
if err != nil {
ctx.Error("Error signing", tag, ":", string(out))
} else {
ctx.Success("Artifact", tag, "signed")
}
} else {
ctx.Success("Artifact", tag, "has signature")
}
}
72 changes: 72 additions & 0 deletions .github/workflows/resigner.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: resigner
on:
workflow_dispatch:
inputs:
final-repo:
required: false
default: quay.io/costoolkit/releases-green
type: string
description: Repo to check artifacts for signatures
cosign-repository:
required: false
default: raccos/releases-green
type: string
description: Repo that contains the signatures for the final_repo
fulcio-url:
required: false
default: ""
type: string
description: Set a fulcio url for the signing part. LEave empty to use cosign default url..
reference-id:
required: false
default: "repository.yaml"
type: string
description: Name of the repository.yaml that will be downloaded.
cosign-version:
required: false
default: "v1.4.1"
type: string
description: Cosign version to install and use
concurrency:
group: ci-sign-${{ github.head_ref || github.ref }}-${{ github.repository }}
cancel-in-progress: true
jobs:
resign:
runs-on: ubuntu-latest
permissions:
id-token: write # OIDC support
env:
FINAL_REPO: ${{ github.event.inputs.final-repo }}
COSIGN_REPOSITORY: ${{ github.event.inputs.cosign-repository }}
FULCIO_URL: ${{ github.event.inputs.fulcio-url }}
REFERENCEID: ${{ github.event.inputs.reference-id }}
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: ${{ github.event.inputs.cosign-version }}
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: '^1.16'
- uses: actions/checkout@v2
- run: |
git fetch --prune --unshallow
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Resign
run: |
export PATH=$PATH:/usr/local/go/bin
pushd ./.github
go build -o resign resign.go
popd
sudo -E ./.github/resign

0 comments on commit 2833d6e

Please sign in to comment.