Attest the container using cosign

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
philips-labs · Dec 24, 2021 · 7e2ee54 · 7e2ee54
1 parent a8bd75c
commit 7e2ee54
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 1 deletion.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -136,7 +136,12 @@ jobs:
         repo: ${{ fromJSON(needs.release.outputs.container_repos) }}
 
     steps:
-      - name: Generate provenance for Release
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v1.4.1
+        with:
+          cosign-release: 'v1.4.1'
+
+      - name: Generate provenance for ${{ matrix.repo }}
         uses: philips-labs/slsa-provenance-action@v0.4.0
         with:
           command: generate
@@ -146,6 +151,30 @@ jobs:
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
+      - name: Login to Container registries
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io
+
+      - name: Attach provenance to image
+        run: |
+          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
+          cosign attest --predicate provenance.json --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+
+      - name: Verify attestation
+        run: |
+          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
+          cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
+
+      - name: Logout from Container registries
+        if: ${{ always() }}
+        run: |
+          docker logout
+          docker logout ghcr.io
+
   provenance:
     name: provenance
     needs: [release]

diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@ dist/
 coverage.out
 .DS_Store
 .env
+cosign.key
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEP1QqZaWSrMJKZkqoAbr5zq4bV4KW
+9Vj+FQotHLTsxIM16+OAx8NbUOzmga9aaKEtAee5wXD3dvWpFX0gKXMBqA==
+-----END PUBLIC KEY-----