feat(signature): Checksum signature verification (#1670)

* feat(signature): Checksum signature verification Signed-off-by: Shubham Hibare <shubham@hibare.in> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Update message Signed-off-by: Shubham Hibare <shubham@hibare.in> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * address comments Signed-off-by: Shubham Hibare <shubham@hibare.in> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * consider -v flag across supported releases Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for install.sh signature verification Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * check that release is run from main Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * summarize install.sh flags and recommendations Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove regex use on cosign verify-blob Co-authored-by: Dominique Martinet <asmadeus@codewreck.org> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * simplify the compare_semver install function Co-authored-by: Dominique Martinet <asmadeus@codewreck.org> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add more tests to compare_semver Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit copy change for install help Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * keep original compare_semver implementation Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update copy to include default install path Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Shubham Hibare <shubham@hibare.in> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
anchore · Jun 6, 2024 · 17b1047 · 17b1047
1 parent e5b341b
commit 17b1047
Show file tree

Hide file tree

Showing 17 changed files with 453 additions and 67 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -14,6 +14,16 @@ jobs:
     environment: release
     runs-on: ubuntu-20.04
     steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Check if running on main
+        if: github.ref != 'refs/heads/main'
+        # we are using the following flag when running `cosign blob-verify` for checksum signature verification:
+        #   --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
+        # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
+        # at the time of when the OIDC token was issued on the Github Actions runner.
+        run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
       - name: Check if pinned syft is a release version

diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml
@@ -177,6 +177,9 @@ jobs:
     needs: [Build-Snapshot-Artifacts]
     runs-on: macos-latest
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.5.0
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
       - name: Download snapshot build

diff --git a/README.md b/README.md
@@ -60,12 +60,10 @@ If you encounter an issue, please [let us know using the issue tracker](https://
 ```bash
 curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
 ```
-
-You can also choose another destination directory and release version for the installation. The destination directory doesn't need to be `/usr/local/bin`, it just needs to be a location found in the user's PATH and writable by the user that's installing Grype.
-
-```
-curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>
-```
+Install script options:
+-	`-b`: Specify a custom installation directory (defaults to `./bin`)
+-	`-d`: More verbose logging levels (`-d` for debug, `-dd` for trace)
+-	`-v`: Verify the signature of the downloaded artifact before installation (requires [`cosign`](https://github.com/sigstore/cosign) to be installed)
 
 ### Chocolatey