From 63ecacdbb68e8ff3119f415c3aabb3f49bdc5efa Mon Sep 17 00:00:00 2001 From: cpanato Date: Fri, 30 Sep 2022 10:46:25 +0200 Subject: [PATCH] sign binaries and images with sigstore cosign also generate sboms for archives and packages Signed-off-by: cpanato --- .github/workflows/release.yaml | 4 ++- .goreleaser.yaml | 24 ++++++++++++++ cmd/goreleaser/internal/configure.go | 49 +++++++++++++++++++++++++++- 3 files changed, 75 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 52c6d463..c6fe5148 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -26,7 +26,9 @@ jobs: with: fetch-depth: 0 - - uses: sigstore/cosign-installer@v2 + - uses: sigstore/cosign-installer@v3 + + - uses: anchore/sbom-action/download-syft@v0.14.3 - uses: docker/setup-qemu-action@v2 with: diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c3b6a04c..b808e6a4 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -1,6 +1,8 @@ partial: by: target project_name: opentelemetry-collector-releases +env: + - COSIGN_YES=true builds: - id: otelcol goos: @@ -374,3 +376,25 @@ docker_manifests: - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-armv7 - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-arm64 - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-ppc64le +signs: + - cmd: cosign + args: + - sign-blob + - --output-signature + - ${artifact}.sig + - --output-certificate + - ${artifact}.pem + - ${artifact} + signature: ${artifact}.sig + artifacts: all + certificate: ${artifact}.pem +docker_signs: + - args: + - sign + - ${artifact} + artifacts: all +sboms: + - id: archive + artifacts: archive + - id: package + artifacts: package diff --git a/cmd/goreleaser/internal/configure.go b/cmd/goreleaser/internal/configure.go index 38c9d222..9ecc1803 100644 --- a/cmd/goreleaser/internal/configure.go +++ b/cmd/goreleaser/internal/configure.go @@ -42,12 +42,15 @@ func Generate(imagePrefixes []string, dists []string) config.Project { Checksum: config.Checksum{ NameTemplate: "{{ .ProjectName }}_checksums.txt", }, - + Env: []string{"COSIGN_YES=true"}, Builds: Builds(dists), Archives: Archives(dists), NFPMs: Packages(dists), Dockers: DockerImages(imagePrefixes, dists), DockerManifests: DockerManifests(imagePrefixes, dists), + Signs: Sign(), + DockerSigns: DockerSigns(), + SBOMs: SBOM(), } } @@ -252,3 +255,47 @@ func archName(arch, armVersion string) string { return arch } } + +func Sign() []config.Sign { + return []config.Sign{ + { + Artifacts: "all", + Signature: "${artifact}.sig", + Certificate: "${artifact}.pem", + Cmd: "cosign", + Args: []string{ + "sign-blob", + "--output-signature", + "${artifact}.sig", + "--output-certificate", + "${artifact}.pem", + "${artifact}", + }, + }, + } +} + +func DockerSigns() []config.Sign { + return []config.Sign{ + { + Artifacts: "all", + Args: []string{ + "sign", + "${artifact}", + }, + }, + } +} + +func SBOM() []config.SBOM { + return []config.SBOM{ + { + ID: "archive", + Artifacts: "archive", + }, + { + ID: "package", + Artifacts: "package", + }, + } +}