Update dependencies

ThomasVitale · Aug 7, 2023 · 61ca5eb · 61ca5eb
1 parent f56d79a
commit 61ca5eb
Show file tree

Hide file tree

Showing 12 changed files with 502 additions and 180 deletions.
diff --git a/.github/workflows/commit-stage.yml b/.github/workflows/commit-stage.yml
@@ -2,7 +2,6 @@ name: Commit Stage
 on: push
 
 env:
-  COSIGN_EXPERIMENTAL: 1
   REGISTRY: ghcr.io
   IMAGE_NAME: thomasvitale/band-service
   VERSION: ${{ github.sha }}
@@ -87,9 +86,9 @@ jobs:
       image-name: ${{ steps.image-info.outputs.name }}
     steps:
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v2.8.1
+        uses: sigstore/cosign-installer@v3
 
-      - uses: redhat-actions/podman-login@v1.4
+      - uses: redhat-actions/podman-login@v1.6
         with:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
@@ -109,7 +108,7 @@ jobs:
 
       - name: Sign image
         run: |
-          cosign sign "${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST}"
+          cosign sign --yes "${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST}"
           echo "::notice title=Verify signature::COSIGN_EXPERIMENTAL=1 cosign verify ${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST} | jq '.[0]'"
           echo "::notice title=Inspect signature bundle::COSIGN_EXPERIMENTAL=1 cosign verify ${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST} | jq '.[0].optional.Bundle.Payload.body |= @base64d | .[0].optional.Bundle.Payload.body | fromjson'"
           echo "::notice title=Inspect certificate::COSIGN_EXPERIMENTAL=1 cosign verify ${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST} | jq -r '.[0].optional.Bundle.Payload.body |= @base64d | .[0].optional.Bundle.Payload.body | fromjson | .spec.signature.publicKey.content |= @base64d | .spec.signature.publicKey.content' | openssl x509 -text"
@@ -120,7 +119,7 @@ jobs:
       actions: read
       id-token: write
       packages: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
     with:
       image: ${{ needs.sign.outputs.image-name }}
       digest: ${{ needs.sign.outputs.image-digest }}

diff --git a/README.md b/README.md
@@ -1,6 +1,8 @@
 # Band Service
 
-<a href="https://slsa.dev/spec/v0.1/levels"><img src="https://slsa.dev/images/gh-badge-level3.svg" alt="The SLSA Level 3 badge"></a>
+![Build Workflow](https://github.com/thomasvitale/band-service/actions/workflows/commit.stage.yml/badge.svg)
+[![The SLSA Level 3 badge](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/spec/v1.0/levels)
+[![The Apache 2.0 license badge](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
 ## Container images with Cloud Native Buildpacks
 
@@ -14,15 +16,15 @@ For AMD64 architectures:
 
 ```shell
 pack build band-service \
-    --builder paketobuildpacks/builder:base \
+    --builder paketobuildpacks/builder-jammy-tiny \
     --env BP_JVM_VERSION=17
 ```
 
 For ARM64 architectures:
 
 ```shell
 pack build band-service \
-    --builder ghcr.io/thomasvitale/java-builder-arm64 \
+    --builder docker.io/dashaun/builder-arm:tiny \
     --env BP_JVM_VERSION=17 \
     --trust-builder
 ```
@@ -45,14 +47,6 @@ brew install sigstore/tap/gitsign
 
 Configure your application repository to enforce commit signing with gitsign:
 
-```shell
-cd <your_repository_path>
-git config --local commit.gpgsign true  # Sign all commits
-git config --local tag.gpgsign true  # Sign all tags
-git config --local gpg.x509.program gitsign  # Use gitsign for signing
-git config --local gpg.format x509  # gitsign expects x509 args
-```
-
 ```shell
 cd <your_repository_path>
 # Sign all commits
@@ -73,14 +67,42 @@ You can verify a commit as follows:
 git verify-commit HEAD
 ```
 
-## Signing OCI artifacts
+## Verifying signatures and SLSA attestations
+
+After packaging the currente application as an OCI image, cosign is used to sign the artifact and the SLSA attestation.
+
+Using `cosign`, you can display the supply chain security related artifacts for the `ghcr.io/thomasvitale/band-service` images. Use the specific digest you'd like to verify.
+
+```shell
+cosign tree ghcr.io/thomasvitale/band-service
+```
+
+The result:
+
+```shell
+📦 Supply Chain Security Related artifacts for an image: ghcr.io/thomasvitale/band-service
+└── 💾 Attestations for an image tag: ghcr.io/thomasvitale/band-service:sha256-53b8f5bcec33facefcdaa676edeb6c2cdf88b9c1a1bc0f4d0cd23720b4511e1c.att
+   └── 🍒 sha256:0b608efeb00a3bfff29e34535779c84d506d4b64b1c39084ed61ace01473b5cd
+└── 🔐 Signatures for an image tag: ghcr.io/thomasvitale/band-service:sha256-53b8f5bcec33facefcdaa676edeb6c2cdf88b9c1a1bc0f4d0cd23720b4511e1c.sig
+   └── 🍒 sha256:3714100d8c0ae7a088de5f6a548fa5a28969594fce1b958c4168876741cc750b
+```
+
+You can verify the signature and its claims:
 
-After packaging the currente application as an OCI image, cosign is used to sign the artifact.
+```shell
+cosign verify \
+   --certificate-identity-regexp https://github.com/ThomasVitale \
+   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+   ghcr.io/thomasvitale/band-service | jq
+```
 
-You can verify the signature as follows:
+You can also verify the SLSA Provenance attestation associated with the image.
 
 ```shell
-COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/thomasvitale/band-service | jq '.[0]'
+cosign verify-attestation --type slsaprovenance \
+   --certificate-identity-regexp https://github.com/slsa-framework \
+   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+   ghcr.io/thomasvitale/band-service | jq .payload -r | base64 --decode | jq
 ```
 
 ## Software Bill of Materials (SBOMs) with Syft
@@ -103,8 +125,7 @@ You can export SBOM in Syft, SPDX, and CycloneDX formats.
 syft band-service -o cyclonedx-json
 ```
 
-When using Paketo Buildpacks, Syft is already used as part of the build process and SBOMs are generated
-for each layer. You can access the SBOMs per layer with the following command.
+When using Paketo Buildpacks, Syft is already used as part of the build process and SBOMs are generated for each layer. You can access the SBOMs per layer with the following command.
 
 ```shell
 pack sbom download band-service --output-dir sboms
@@ -131,8 +152,7 @@ trivy image <image>
 
 ## Lock dependencies with Gradle
 
-Gradle lets you lock all the dependencies in your project and fail a build is any of them is changed
-outside the standard lifecycle.
+Gradle lets you lock all the dependencies in your project and fail a build is any of them is changed outside the standard lifecycle.
 
 You can generate/update the list of locked dependencies as follows:
 

diff --git a/build.gradle b/build.gradle
@@ -1,7 +1,7 @@
 plugins {
 	id 'java'
-	id 'org.springframework.boot' version '3.0.4'
-	id 'io.spring.dependency-management' version '1.1.0'
+	id 'org.springframework.boot' version '3.1.2'
+	id 'io.spring.dependency-management' version '1.1.2'
 }
 
 group = 'com.thomasvitale'
@@ -34,8 +34,8 @@ tasks.named('bootBuildImage') {
 
 	if (System.getProperty( "os.arch" ).toLowerCase().startsWith('aarch')) {
  		// This builder is only for ARM64 systems.
- 		// For more info: https://github.com/thomasvitale/paketo-arm64
- 		builder = "ghcr.io/thomasvitale/builder-arm:tiny"
+ 		// For more info: https://github.com/dashaun/paketo-arm64
+ 		builder = "docker.io/dashaun/builder-arm:tiny"
  	}
 
 	imageName = "band-service"

diff --git a/config/tekton-pipeline.yml b/config/tekton-pipeline.yml