sign binaries and images with sigstore cosign (#207)

also generate sboms for archives and packages Signed-off-by: cpanato <ctadeu@gmail.com>
open-telemetry · Feb 14, 2024 · 5671ef8 · 5671ef8
1 parent a4aba56
commit 5671ef8
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 5 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -30,7 +30,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: sigstore/cosign-installer@v2
+      - uses: sigstore/cosign-installer@v3
+
+      - uses: anchore/sbom-action/download-syft@v0.14.3
 
       - uses: docker/setup-qemu-action@v3
         with:
@@ -73,7 +75,7 @@ jobs:
           GOOS: ${{ matrix.GOOS }}
           GOARCH: ${{ matrix.GOARCH }}
           GITHUB_TOKEN: ${{ secrets.GH_PAT }}
-          COSIGN_EXPERIMENTAL: true
+          COSIGN_YES: true
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
 
       - uses: actions/upload-artifact@v3
@@ -96,7 +98,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: sigstore/cosign-installer@v2
+      - uses: sigstore/cosign-installer@v3
 
       - uses: anchore/sbom-action/download-syft@v0.15.8
 
@@ -134,5 +136,5 @@ jobs:
           args: continue --merge --timeout 2h
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_EXPERIMENTAL: true
+          COSIGN_YES: true
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -1,6 +1,8 @@
 partial:
   by: target
 project_name: opentelemetry-collector-releases
+env:
+    - COSIGN_YES=true
 builds:
     - id: otelcol
       goos:
@@ -430,3 +432,26 @@ docker_manifests:
         - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-arm64
         - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-ppc64le
         - ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest-s390x
+
+signs:
+    - cmd: cosign
+      args:
+        - sign-blob
+        - --output-signature
+        - ${artifact}.sig
+        - --output-certificate
+        - ${artifact}.pem
+        - ${artifact}
+      signature: ${artifact}.sig
+      artifacts: all
+      certificate: ${artifact}.pem
+docker_signs:
+    - args:
+        - sign
+        - ${artifact}
+      artifacts: all
+sboms:
+    - id: archive
+      artifacts: archive
+    - id: package
+      artifacts: package
diff --git a/cmd/goreleaser/internal/configure.go b/cmd/goreleaser/internal/configure.go
@@ -42,12 +42,15 @@ func Generate(imagePrefixes []string, dists []string) config.Project {
 		Checksum: config.Checksum{
 			NameTemplate: "{{ .ProjectName }}_checksums.txt",
 		},
-
+		Env:             []string{"COSIGN_YES=true"},
 		Builds:          Builds(dists),
 		Archives:        Archives(dists),
 		NFPMs:           Packages(dists),
 		Dockers:         DockerImages(imagePrefixes, dists),
 		DockerManifests: DockerManifests(imagePrefixes, dists),
+		Signs:           Sign(),
+		DockerSigns:     DockerSigns(),
+		SBOMs:           SBOM(),
 	}
 }
 
@@ -254,3 +257,47 @@ func archName(arch, armVersion string) string {
 		return arch
 	}
 }
+
+func Sign() []config.Sign {
+	return []config.Sign{
+		{
+			Artifacts:   "all",
+			Signature:   "${artifact}.sig",
+			Certificate: "${artifact}.pem",
+			Cmd:         "cosign",
+			Args: []string{
+				"sign-blob",
+				"--output-signature",
+				"${artifact}.sig",
+				"--output-certificate",
+				"${artifact}.pem",
+				"${artifact}",
+			},
+		},
+	}
+}
+
+func DockerSigns() []config.Sign {
+	return []config.Sign{
+		{
+			Artifacts: "all",
+			Args: []string{
+				"sign",
+				"${artifact}",
+			},
+		},
+	}
+}
+
+func SBOM() []config.SBOM {
+	return []config.SBOM{
+		{
+			ID:        "archive",
+			Artifacts: "archive",
+		},
+		{
+			ID:        "package",
+			Artifacts: "package",
+		},
+	}
+}