From c43d59a69a220f82142677fe9fc624d9203f416e Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 25 Oct 2022 21:26:50 -0700 Subject: [PATCH 1/2] [action] keyless cosign for all release artifacts --- .github/workflows/release.yml | 38 +++++++++++++++++------------------ .goreleaser.yml | 9 +++++---- make/docker.mk | 2 +- 3 files changed, 25 insertions(+), 24 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4c00ad04..48bbf730 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,8 +13,8 @@ jobs: create_release: name: Create Release - #needs: ci - runs-on: ubuntu-20.04 + needs: ci + runs-on: ubuntu-latest outputs: is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} steps: @@ -25,7 +25,7 @@ jobs: echo ${{ github.ref }} | grep "\-rc.*" OUT=$? if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi - echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}" + echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT} - name: Create Release id: create_release uses: actions/create-release@v1 @@ -39,8 +39,11 @@ jobs: goreleaser: name: Upload Assets To Github w/ goreleaser - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest needs: create_release + permissions: + id-token: write + contents: write steps: - name: Checkout uses: actions/checkout@v3 @@ -50,17 +53,14 @@ jobs: go-version: 1.19 check-latest: true - name: Install cosign - uses: sigstore/cosign-installer@v2.7.0 + uses: sigstore/cosign-installer@v2 with: - cosign-release: 'v1.12.1' - - name: Write cosign key to disk - id: write_key - run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key" + cosign-release: 'v1.13.1' - name: Get Release Date id: release_date run: | RELEASE_DATE=$(date +"%y-%m-%d") - echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}" + echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV} - name: Run GoReleaser uses: goreleaser/goreleaser-action@v3 with: @@ -68,13 +68,16 @@ jobs: args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} - RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }} + RELEASE_DATE: ${RELEASE_DATE} + COSIGN_EXPERIMENTAL: 1 build_upload_docker: name: Build & Upload Docker Images - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest needs: ci + permissions: + id-token: write + contents: write steps: - name: Checkout uses: actions/checkout@v3 @@ -84,12 +87,9 @@ jobs: go-version: '1.19' check-latest: true - name: Install cosign - uses: sigstore/cosign-installer@v1.1.0 + uses: sigstore/cosign-installer@v2 with: - cosign-release: 'v1.1.0' - - name: Write cosign key to disk - id: write_key - run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key" + cosign-release: 'v1.13.1' - name: Build id: build run: | @@ -98,4 +98,4 @@ jobs: env: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} + COSIGN_EXPERIMENTAL: 1 diff --git a/.goreleaser.yml b/.goreleaser.yml index c8650d5b..43ffadb3 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -87,8 +87,9 @@ checksum: signs: - cmd: cosign - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"] + signature: "${artifact}.sig" + certificate: "${artifact}.pem" + args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"] artifacts: all snapshot: @@ -154,8 +155,8 @@ release: ``` cosign verify-blob \ - -key https://raw.githubusercontent.com/smallstep/certificates/master/cosign.pub \ - -signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig + --certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \ + --signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \ ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz ``` diff --git a/make/docker.mk b/make/docker.mk index edb82423..0d56e663 100644 --- a/make/docker.mk +++ b/make/docker.mk @@ -54,7 +54,7 @@ define DOCKER_BUILDX # $(1) -- Image Tag # $(2) -- Push (empty is no push | --push will push to dockerhub) docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2) - echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1) + cosign sign -r $(DOCKER_IMAGE_NAME):$(1) endef From c36b36f0708740ae6c2cbb46b70b051d558f9029 Mon Sep 17 00:00:00 2001 From: max furman Date: Wed, 26 Oct 2022 23:31:02 -0700 Subject: [PATCH 2/2] [action] cosign over docker image digest --- .github/workflows/release.yml | 47 +++++++++--------- Makefile | 10 ---- make/docker.mk | 91 ----------------------------------- 3 files changed, 23 insertions(+), 125 deletions(-) delete mode 100644 make/docker.mk diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 48bbf730..f66ad67b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,8 +15,12 @@ jobs: name: Create Release needs: ci runs-on: ubuntu-latest + env: + DOCKER_IMAGE: smallstep/step-ca outputs: + version: ${{ steps.extract-tag.outputs.VERSION }} is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} + docker_tags: ${{ env.DOCKER_TAGS }} steps: - name: Is Pre-release id: is_prerelease @@ -26,6 +30,16 @@ jobs: OUT=$? if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT} + - name: Extract Tag Names + id: extract-tag + run: | + VERSION=${GITHUB_REF#refs/tags/v} + echo "VERSION=${VERSION}" >> ${GITHUB_OUTPUT} + echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> ${GITHUB_ENV} + - name: Add Latest Tag + if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false' + run: | + echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV} - name: Create Release id: create_release uses: actions/create-release@v1 @@ -68,34 +82,19 @@ jobs: args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }} - RELEASE_DATE: ${RELEASE_DATE} + RELEASE_DATE: ${{ env.RELEASE_DATE }} COSIGN_EXPERIMENTAL: 1 build_upload_docker: name: Build & Upload Docker Images - runs-on: ubuntu-latest - needs: ci + needs: create_release permissions: id-token: write contents: write - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Go - uses: actions/setup-go@v3 - with: - go-version: '1.19' - check-latest: true - - name: Install cosign - uses: sigstore/cosign-installer@v2 - with: - cosign-release: 'v1.13.1' - - name: Build - id: build - run: | - PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin - make docker-artifacts - env: - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - COSIGN_EXPERIMENTAL: 1 + uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main + with: + platforms: linux/amd64,linux/386,linux/arm,linux/arm64 + tags: ${{ needs.create_release.outputs.docker_tags }} + docker_image: smallstep/step-ca + docker_file: docker/Dockerfile.step-ca + secrets: inherit diff --git a/Makefile b/Makefile index 55b97c62..90e96993 100644 --- a/Makefile +++ b/Makefile @@ -79,8 +79,6 @@ $(info DEB_VERSION is $(DEB_VERSION)) $(info PUSHTYPE is $(PUSHTYPE)) endif -include make/docker.mk - ######################################### # Build ######################################### @@ -232,11 +230,3 @@ debian: changelog distclean: clean .PHONY: changelog debian distclean - -################################################# -# Targets for creating step artifacts -################################################# - -docker-artifacts: docker-$(PUSHTYPE) - -.PHONY: docker-artifacts diff --git a/make/docker.mk b/make/docker.mk deleted file mode 100644 index 0d56e663..00000000 --- a/make/docker.mk +++ /dev/null @@ -1,91 +0,0 @@ -######################################### -# Building Docker Image -# -# This uses a multi-stage build file. The first stage is a builder (that might -# be large in size). After the build has succeeded, the statically linked -# binary is copied to a new image that is optimized for size. -######################################### - -ifeq (, $(shell which docker)) - DOCKER_CLIENT_OS := linux -else - DOCKER_CLIENT_OS := $(strip $(shell docker version -f '{{.Client.Os}}' 2>/dev/null)) -endif - -DOCKER_PLATFORMS = linux/amd64,linux/386,linux/arm,linux/arm64 -DOCKER_IMAGE_NAME = smallstep/step-ca - -docker-prepare: - # Ensure, we can build for ARM architecture -ifeq (linux,$(DOCKER_CLIENT_OS)) - [ -f /proc/sys/fs/binfmt_misc/qemu-arm ] || docker run --rm --privileged linuxkit/binfmt:v0.8-amd64 -endif - - # Register buildx builder - mkdir -p $$HOME/.docker/cli-plugins - - test -f $$HOME/.docker/cli-plugins/docker-buildx || \ - (wget -q -O $$HOME/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.$(DOCKER_CLIENT_OS)-amd64 && \ - chmod +x $$HOME/.docker/cli-plugins/docker-buildx) - - docker buildx create --use --name mybuilder --platform="$(DOCKER_PLATFORMS)" || true - -.PHONY: docker-prepare - -################################################# -# Releasing Docker Images -# -# Using the docker build infrastructure, this section is responsible for -# logging into docker hub. -################################################# - -# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or -# equivalent environment -docker-login: - $Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)" - -.PHONY: docker-login - -################################################# -# Targets for different type of builds -################################################# - -define DOCKER_BUILDX - # $(1) -- Image Tag - # $(2) -- Push (empty is no push | --push will push to dockerhub) - docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2) - cosign sign -r $(DOCKER_IMAGE_NAME):$(1) - -endef - -# For non-master builds don't build the docker containers. -docker-branch: - -# For master builds don't build the docker containers. -docker-master: - -# For all builds with a release candidate tag build and push the containers. -docker-release-candidate: docker-prepare docker-login - $(call DOCKER_BUILDX,$(VERSION),--push) - -# For all builds with a release tag build and push the containers. -docker-release: docker-prepare docker-login - $(call DOCKER_BUILDX,latest,--push) - $(call DOCKER_BUILDX,$(VERSION),--push) - -.PHONY: docker-branch docker-master docker-release-candidate docker-release - -# XXX We put the output for the build in 'output' so we don't mess with how we -# do rule overriding from the base Makefile (if you name it 'build' it messes up -# the wildcarding). -DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/ - -DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(BINNAME) -DOCKER_BUILD=$Q docker build -t $(DOCKER_IMAGE_NAME):latest -f docker/Dockerfile.step-ca --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(BINNAME) . - -docker-dev: docker/Dockerfile.step-ca - mkdir -p $(DOCKER_OUTPUT) - $(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca) - $(call DOCKER_BUILD) - -.PHONY: docker-dev