sign binaries and images with sigstore cosign

also generate sboms for archives and packages Signed-off-by: cpanato <[email protected]>
open-telemetry · Sep 5, 2023 · 63ecacd · 63ecacd
1 parent 7adc136
commit 63ecacd
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 2 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -26,7 +26,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: sigstore/cosign-installer@v2
+      - uses: sigstore/cosign-installer@v3
+
+      - uses: anchore/sbom-action/[email protected]
 
       - uses: docker/setup-qemu-action@v2
         with:

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -1,6 +1,8 @@
 partial:
   by: target
 project_name: opentelemetry-collector-releases
+env:
+    - COSIGN_YES=true
 builds:
     - id: otelcol
       goos:
@@ -374,3 +376,25 @@ docker_manifests:
         - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-armv7
         - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-arm64
         - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-ppc64le
+signs:
+    - cmd: cosign
+      args:
+        - sign-blob
+        - --output-signature
+        - ${artifact}.sig
+        - --output-certificate
+        - ${artifact}.pem
+        - ${artifact}
+      signature: ${artifact}.sig
+      artifacts: all
+      certificate: ${artifact}.pem
+docker_signs:
+    - args:
+        - sign
+        - ${artifact}
+      artifacts: all
+sboms:
+    - id: archive
+      artifacts: archive
+    - id: package
+      artifacts: package
diff --git a/cmd/goreleaser/internal/configure.go b/cmd/goreleaser/internal/configure.go
@@ -42,12 +42,15 @@ func Generate(imagePrefixes []string, dists []string) config.Project {
 		Checksum: config.Checksum{
 			NameTemplate: "{{ .ProjectName }}_checksums.txt",
 		},
-
+		Env:             []string{"COSIGN_YES=true"},
 		Builds:          Builds(dists),
 		Archives:        Archives(dists),
 		NFPMs:           Packages(dists),
 		Dockers:         DockerImages(imagePrefixes, dists),
 		DockerManifests: DockerManifests(imagePrefixes, dists),
+		Signs:           Sign(),
+		DockerSigns:     DockerSigns(),
+		SBOMs:           SBOM(),
 	}
 }
 
@@ -252,3 +255,47 @@ func archName(arch, armVersion string) string {
 		return arch
 	}
 }
+
+func Sign() []config.Sign {
+	return []config.Sign{
+		{
+			Artifacts:   "all",
+			Signature:   "${artifact}.sig",
+			Certificate: "${artifact}.pem",
+			Cmd:         "cosign",
+			Args: []string{
+				"sign-blob",
+				"--output-signature",
+				"${artifact}.sig",
+				"--output-certificate",
+				"${artifact}.pem",
+				"${artifact}",
+			},
+		},
+	}
+}
+
+func DockerSigns() []config.Sign {
+	return []config.Sign{
+		{
+			Artifacts: "all",
+			Args: []string{
+				"sign",
+				"${artifact}",
+			},
+		},
+	}
+}
+
+func SBOM() []config.SBOM {
+	return []config.SBOM{
+		{
+			ID:        "archive",
+			Artifacts: "archive",
+		},
+		{
+			ID:        "package",
+			Artifacts: "package",
+		},
+	}
+}