From 1a95cd95ba8c35e18d2f472143af329a54c1ff81 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 14 Feb 2023 15:00:02 +0600 Subject: [PATCH 01/10] ci: add gpg signing for the packages --- .github/workflows/release.yaml | 3 --- .github/workflows/reusable-release.yaml | 8 ++++++++ goreleaser.yml | 10 ++++++++++ 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ee2b7c54ba7..3db71db4ef8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -50,8 +50,5 @@ jobs: - name: Create rpm repository run: ci/deploy-rpm.sh - - name: Import GPG key - run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import - - name: Create deb repository run: ci/deploy-deb.sh diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index c63a1ee4b36..a8b2b607467 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -75,6 +75,13 @@ jobs: args: mod -licenses -json -output bom.json version: ^v1 + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v5 + with: + gpg_private_key: ${{ secrets.GPG_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + - name: GoReleaser uses: goreleaser/goreleaser-action@v4 with: @@ -82,6 +89,7 @@ jobs: args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}} env: GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }} + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} ## push images to registries ## only for canary build diff --git a/goreleaser.yml b/goreleaser.yml index 434774fdde2..6bf8fbafa0a 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -264,6 +264,16 @@ signs: - "${artifact}" artifacts: all output: true +- id: "gpg signing" + artifacts: package + args: + - "--batch" + - "--local-user" + - "{{ .Env.GPG_FINGERPRINT }}" + - "--output" + - "${signature}" + - "--detach-sign" + - "${artifact}" docker_signs: - cmd: cosign From 9b9a0f0382db915141d8ad2a0e3a24e8ba3d1520 Mon Sep 17 00:00:00 2001 From: afdesk Date: Sat, 25 Feb 2023 16:28:28 +0600 Subject: [PATCH 02/10] add `environment` field to the action --- .github/workflows/reusable-release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index a8b2b607467..eb26b16c34f 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -19,6 +19,7 @@ jobs: release: name: Release runs-on: ubuntu-latest + environment: AQUA_ENVIRONMENT env: DOCKER_CLI_EXPERIMENTAL: "enabled" permissions: From 50cc4ded94fa641554775a1a375aacff56fcf5ca Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 21 Mar 2023 19:28:54 +0600 Subject: [PATCH 03/10] add a sufix for gpg signatures --- goreleaser.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/goreleaser.yml b/goreleaser.yml index 6bf8fbafa0a..d30fa7f9236 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -266,6 +266,7 @@ signs: output: true - id: "gpg signing" artifacts: package + signature: "${artifact}.gpg.sig" args: - "--batch" - "--local-user" From e631ba5419fa38fdf054208eb113ab1d871b348b Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 21 Mar 2023 20:10:21 +0600 Subject: [PATCH 04/10] add input passphrase and show output --- .github/workflows/reusable-release.yaml | 1 + goreleaser.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index eb26b16c34f..e15935d275c 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -91,6 +91,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} ## push images to registries ## only for canary build diff --git a/goreleaser.yml b/goreleaser.yml index d30fa7f9236..7280b147e2c 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -275,6 +275,8 @@ signs: - "${signature}" - "--detach-sign" - "${artifact}" + output: true + stdin: '{{ .Env.GPG_PASSPHRASE }}' docker_signs: - cmd: cosign From f8a7f04d77b7a6aa4924a99a08114f604b37df7b Mon Sep 17 00:00:00 2001 From: afdesk Date: Wed, 22 Mar 2023 19:36:04 +0600 Subject: [PATCH 05/10] signing rpm and all artifacts --- .github/workflows/reusable-release.yaml | 12 ++++++++++ goreleaser.yml | 29 ++++++++++++++----------- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index e15935d275c..5f9220bf3ad 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -83,6 +83,12 @@ jobs: gpg_private_key: ${{ secrets.GPG_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} + - name: "save gpg key" + env: + GPG_KEY: ${{ secrets.GPG_KEY }} + run: | + echo "$GPG_KEY" > gpg.txt + - name: GoReleaser uses: goreleaser/goreleaser-action@v4 with: @@ -92,6 +98,12 @@ jobs: GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_FILE: "gpg.txt" + + - name: "remove gpg key" + run: | + rm gpg.txt ## push images to registries ## only for canary build diff --git a/goreleaser.yml b/goreleaser.yml index 7280b147e2c..5c1360e50a5 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -74,6 +74,9 @@ nfpms: contents: - src: contrib/*.tpl dst: /usr/local/share/trivy/templates + rpm: + signature: + key_file: '{{ .Env.GPG_FILE }}' archives: - @@ -251,6 +254,19 @@ docker_manifests: - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-ppc64le' signs: +- id: "gpg signing" + artifacts: all + signature: "${artifact}.gpg.sig" + args: + - "--batch" + - "-u" + - "{{ .Env.GPG_FINGERPRINT }}" + - "--output" + - "${signature}" + - "--detach-sign" + - "${artifact}" + output: true + stdin: '{{ .Env.GPG_PASSPHRASE }}' - cmd: cosign env: - COSIGN_EXPERIMENTAL=1 @@ -264,19 +280,6 @@ signs: - "${artifact}" artifacts: all output: true -- id: "gpg signing" - artifacts: package - signature: "${artifact}.gpg.sig" - args: - - "--batch" - - "--local-user" - - "{{ .Env.GPG_FINGERPRINT }}" - - "--output" - - "${signature}" - - "--detach-sign" - - "${artifact}" - output: true - stdin: '{{ .Env.GPG_PASSPHRASE }}' docker_signs: - cmd: cosign From bdbb2de9b73d14c4c1544d6aed499981a27ff959 Mon Sep 17 00:00:00 2001 From: afdesk Date: Wed, 22 Mar 2023 19:56:48 +0600 Subject: [PATCH 06/10] remove environment --- .github/workflows/reusable-release.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index 5f9220bf3ad..b0c0ab5c79e 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -19,7 +19,6 @@ jobs: release: name: Release runs-on: ubuntu-latest - environment: AQUA_ENVIRONMENT env: DOCKER_CLI_EXPERIMENTAL: "enabled" permissions: From 42859a90352b38bacb1231a63ccfc1cbd264b162 Mon Sep 17 00:00:00 2001 From: AMF Date: Thu, 23 Mar 2023 11:08:14 +0600 Subject: [PATCH 07/10] remove irrelevant block --- .github/workflows/release.yaml | 3 +++ .github/workflows/reusable-release.yaml | 9 --------- goreleaser.yml | 13 ------------- 3 files changed, 3 insertions(+), 22 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3db71db4ef8..ee2b7c54ba7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -50,5 +50,8 @@ jobs: - name: Create rpm repository run: ci/deploy-rpm.sh + - name: Import GPG key + run: echo -e "${{ secrets.GPG_KEY }}" | gpg --import + - name: Create deb repository run: ci/deploy-deb.sh diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index b0c0ab5c79e..3bbcfaa511a 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -75,13 +75,6 @@ jobs: args: mod -licenses -json -output bom.json version: ^v1 - - name: Import GPG key - id: import_gpg - uses: crazy-max/ghaction-import-gpg@v5 - with: - gpg_private_key: ${{ secrets.GPG_KEY }} - passphrase: ${{ secrets.GPG_PASSPHRASE }} - - name: "save gpg key" env: GPG_KEY: ${{ secrets.GPG_KEY }} @@ -95,8 +88,6 @@ jobs: args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}} env: GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }} - GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_FILE: "gpg.txt" diff --git a/goreleaser.yml b/goreleaser.yml index 5c1360e50a5..82393c97d10 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -254,19 +254,6 @@ docker_manifests: - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-ppc64le' signs: -- id: "gpg signing" - artifacts: all - signature: "${artifact}.gpg.sig" - args: - - "--batch" - - "-u" - - "{{ .Env.GPG_FINGERPRINT }}" - - "--output" - - "${signature}" - - "--detach-sign" - - "${artifact}" - output: true - stdin: '{{ .Env.GPG_PASSPHRASE }}' - cmd: cosign env: - COSIGN_EXPERIMENTAL=1 From 44d25ded8ff02381d2ebe35f4cd8a20757f5c7ee Mon Sep 17 00:00:00 2001 From: AMF Date: Thu, 23 Mar 2023 11:47:39 +0600 Subject: [PATCH 08/10] update the docs --- docs/getting-started/installation.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md index e9e8bf04375..0b5c688ade4 100644 --- a/docs/getting-started/installation.md +++ b/docs/getting-started/installation.md @@ -15,8 +15,9 @@ In this section you will find an aggregation of the different ways to install Tr [trivy] name=Trivy repository baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/ - gpgcheck=0 + gpgcheck=1 enabled=1 + gpgkey=https://aquasecurity.github.io/trivy-repo/deb/public.key EOF sudo yum -y update sudo yum -y install trivy From 6eed130da9ce96527c1a7a54053c71c178d91f0a Mon Sep 17 00:00:00 2001 From: afdesk Date: Thu, 23 Mar 2023 19:57:01 +0600 Subject: [PATCH 09/10] add GPG_FILE env variable for the build test --- .github/workflows/test.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 41d230cef24..94e36c6eda5 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -120,4 +120,5 @@ jobs: with: version: v1.4.1 args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m - + env: + GPG_FILE: "nofile" From 3f7e5f26e1caaca2d12662048a75214d21cf4355 Mon Sep 17 00:00:00 2001 From: AMF Date: Thu, 23 Mar 2023 23:07:08 +0600 Subject: [PATCH 10/10] docs: update url to the RPM public key --- docs/getting-started/installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md index 0b5c688ade4..92adf2fe58a 100644 --- a/docs/getting-started/installation.md +++ b/docs/getting-started/installation.md @@ -17,7 +17,7 @@ In this section you will find an aggregation of the different ways to install Tr baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/ gpgcheck=1 enabled=1 - gpgkey=https://aquasecurity.github.io/trivy-repo/deb/public.key + gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key EOF sudo yum -y update sudo yum -y install trivy