Skip to content

image signing and provenance generation #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JamesLaverack merged 1 commit into from
May 23, 2023
Merged

image signing and provenance generation #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions .github/workflows/publish.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,13 @@ env:
jobs:
paranoia-inception:
runs-on: ubuntu-latest
outputs:
image: ${{ steps.build-and-push.outputs.image }}
digest: ${{ steps.build-and-push.outputs.digest }}
permissions:
contents: read
packages: write
id-token: write # for creating OIDC tokens for signing.
steps:
- name: Log in to the Container registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
Expand All @@ -32,6 +36,14 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
uses: sigstore/cosign-installer@204a51a57a74d190b284a0ce69b44bc37201f343 #v3.0.3
with:
cosign-release: 'v2.0.2'


- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea
Expand All @@ -57,6 +69,7 @@ jobs:

- name: Build and push
uses: docker/build-push-action@v3
id: build-and-push
with:
context: .
platforms: linux/amd64,linux/arm64
Expand All @@ -65,3 +78,33 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published Docker image
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
env:
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

provenance-for-images:
needs: [paranoia-inception]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.6.0
Copy link

@laurentsimon laurentsimon May 23, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: you can use https://github.com/slsa-framework/slsa-verifier to verify SLSA provenance (slsa.dev), both for containers and binaries. You may add a section in your README to help users with verification

with:
image: ghcr.io/${{ github.repository }}
# The image digest is used to prevent TOCTOU issues.
# This is an output of the docker/build-push-action
# See: https://github.com/slsa-framework/slsa-verifier#toctou-attacks
digest: ${{ needs.paranoia-inception.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
18 changes: 18 additions & 0 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ jobs:
needs:
- build
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
permissions:
contents: write
steps:
Expand All @@ -54,10 +56,26 @@ jobs:
mv paranoia-linux-arm64/paranoia bin/paranoia-linux-arm64
mkdir man
mv man-pages/* man/
- name: Generate hashes
shell: bash
id: hash
run: |
echo "hashes=$(sha256sum bin/paranoia-darwin-amd64 bin/paranoia-darwin-arm64 bin/paranoia-linux-amd64 bin/paranoia-linux-arm64 | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Release
uses: softprops/action-gh-release@v1
with:
files: |
LICENSE.txt
bin/paranoia-*
man/*

provenance-for-binaries:
needs:
- release
permissions:
actions: read # Needed for detection of GitHub Actions environment.
id-token: write # Needed for provenance signing and ID.
contents: write # Needed for release uploads.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
with:
base64-subjects: "${{ needs.release.outputs.hashes }}"