Add signing of release artifacts and containers

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
philips-labs · Jan 14, 2022 · fae521a · fae521a
1 parent 3511795
commit fae521a
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 4 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -76,6 +76,11 @@ jobs:
         with:
           go-version: 1.17
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v1.4.1
+        with:
+          cosign-release: 'v1.4.1'
+
       - name: Checkout
         uses: actions/checkout@v2.4.0
         with:
@@ -100,6 +105,10 @@ jobs:
           fi
           rm -f /tmp/spiffe-vault-release-vars.env
 
+      - name: Install signing key
+        run: |
+          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
+
       - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
         uses: goreleaser/goreleaser-action@v2
         with:
@@ -109,6 +118,7 @@ jobs:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
           GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Get container info
         id: container_info
@@ -125,6 +135,10 @@ jobs:
           docker logout
           docker logout ghcr.io
 
+      - name: Cleanup signing keys
+        if: ${{ always() }}
+        run: rm -f cosign.key
+
   container-provenance:
     name: container-provenance
     needs: [release]
@@ -177,6 +191,7 @@ jobs:
         run: |
           docker logout
           docker logout ghcr.io
+          rm -f cosign.key
 
   provenance:
     name: provenance

diff --git a/.goreleaser.draft.yml b/.goreleaser.draft.yml
@@ -30,10 +30,15 @@ archives:
     files:
       - LICENSE*
       - README*
+      - cosign.pub
+      - dist/*.sig
     format_overrides:
       - goos: windows
         format: zip
 
+checksum:
+  name_template: 'checksums.txt'
+
 dockers:
   - goos: linux
     goarch: amd64
@@ -57,8 +62,57 @@ dockers:
       - "go.sum"
       - "cmd"
       - "lib"
-checksum:
-  name_template: 'checksums.txt'
+
+signs:
+  - id: checksums
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    certificate: '${artifact}.pem'
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+  - id: binaries
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem'
+    output: true
+    artifacts: binary
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+  - id: archives
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem'
+    output: true
+    artifacts: archive
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+
+docker_signs:
+  - cmd: cosign
+    artifacts: manifests
+    output: true
+    args:
+      - 'sign'
+      - --key
+      - cosign.key
+      - '${artifact}'
 
 snapshot:
   name_template: "{{ .Version }}-next"
@@ -75,3 +129,5 @@ changelog:
 release:
   draft: true
   prerelease: auto
+  extra_files:
+    - glob: "./cosign.pub"
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -30,10 +30,15 @@ archives:
     files:
       - LICENSE*
       - README*
+      - cosign.pub
+      - dist/*.sig
     format_overrides:
       - goos: windows
         format: zip
 
+checksum:
+  name_template: 'checksums.txt'
+
 dockers:
   - goos: linux
     goarch: amd64
@@ -57,8 +62,44 @@ dockers:
       - "go.sum"
       - "cmd"
       - "lib"
-checksum:
-  name_template: 'checksums.txt'
+
+signs:
+  - id: checksums
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    certificate: '${artifact}.pem'
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+  - id: archives
+    cmd: cosign
+    stdin: '{{ .Env.COSIGN_PASSWORD }}'
+    certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem'
+    output: true
+    artifacts: archive
+    args:
+      - sign-blob
+      - --key
+      - cosign.key
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+
+docker_signs:
+  - cmd: cosign
+    artifacts: manifests
+    output: true
+    args:
+      - 'sign'
+      - --key
+      - cosign.key
+      - '${artifact}'
 
 snapshot:
   name_template: "{{ .Version }}-next"
@@ -75,3 +116,5 @@ changelog:
 release:
   draft: false
   prerelease: auto
+  extra_files:
+    - glob: "./cosign.pub"