diff --git a/.tekton/client-server-pull-request.yaml b/.tekton/client-server-pull-request.yaml index 40f8d00db9d..4c02ef4dfc2 100644 --- a/.tekton/client-server-pull-request.yaml +++ b/.tekton/client-server-pull-request.yaml @@ -33,6 +33,8 @@ spec: value: "true" - name: build-source-image value: "true" + - name: fips-check + value: "true" pipelineRef: params: - name: url diff --git a/.tekton/client-server-push.yaml b/.tekton/client-server-push.yaml index bee5271d831..386b44bcb0e 100644 --- a/.tekton/client-server-push.yaml +++ b/.tekton/client-server-push.yaml @@ -30,6 +30,8 @@ spec: value: "true" - name: build-source-image value: "true" + - name: fips-check + value: "true" pipelineRef: params: - name: url diff --git a/.tekton/cosign-pull-request.yaml b/.tekton/cosign-pull-request.yaml index cc377304ee5..eb5842dce11 100644 --- a/.tekton/cosign-pull-request.yaml +++ b/.tekton/cosign-pull-request.yaml @@ -41,6 +41,14 @@ spec: value: "true" - name: go_unit_test value: "true" + - name: build-platforms + value: + - linux/x86_64 + - linux/arm64 + - linux/ppc64le + - linux/s390x + - name: fips-check + value: "true" pipelineRef: params: - name: url @@ -48,7 +56,7 @@ spec: - name: revision value: main - name: pathInRepo - value: pipelines/docker-build-oci-ta.yaml + value: pipelines/docker-build-multi-platform-oci-ta.yaml resolver: git taskRunSpecs: - pipelineTaskName: run-unit-test diff --git a/.tekton/cosign-push.yaml b/.tekton/cosign-push.yaml index a69b57292ee..aeb8857ba3b 100644 --- a/.tekton/cosign-push.yaml +++ b/.tekton/cosign-push.yaml @@ -38,6 +38,14 @@ spec: value: "true" - name: go_unit_test value: "true" + - name: build-platforms + value: + - linux/x86_64 + - linux/arm64 + - linux/ppc64le + - linux/s390x + - name: fips-check + value: "true" pipelineRef: params: - name: url @@ -45,7 +53,7 @@ spec: - name: revision value: main - name: pathInRepo - value: pipelines/docker-build-oci-ta.yaml + value: pipelines/docker-build-multi-platform-oci-ta.yaml resolver: git taskRunSpecs: - pipelineTaskName: run-unit-test diff --git a/Build.mak b/Build.mak index 98d0ffe71f0..9ee894e6857 100644 --- a/Build.mak +++ b/Build.mak @@ -1,4 +1,3 @@ - GIT_VERSION ?= $(shell git describe --tags --always --dirty) GIT_HASH ?= $(shell git rev-parse HEAD) DATE_FMT = +%Y-%m-%dT%H:%M:%SZ @@ -18,34 +17,19 @@ LDFLAGS=-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$(GIT_VERSION) -X sigs.k8s.io/release-utils/version.gitCommit=$(GIT_HASH) \ -X sigs.k8s.io/release-utils/version.gitTreeState=$(GIT_TREESTATE) \ -X sigs.k8s.io/release-utils/version.buildDate=$(BUILD_DATE) +FIPS_MODULE ?= latest .PHONY: -cross-platform: cosign-darwin-arm64 cosign-darwin-amd64 cosign-linux-amd64 cosign-linux-arm64 cosign-linux-ppc64le cosign-linux-s390x cosign-windows-amd64 ## Build all distributable (cross-platform) binaries +cross-platform: cosign-darwin-arm64 cosign-darwin-amd64 cosign-windows-amd64 ## Build all distributable (cross-platform) binaries .PHONY: cosign-darwin-arm64 cosign-darwin-arm64: ## Build for mac M1 - env CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o cosign-darwin-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign + env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=darwin GOARCH=arm64 go build -o cosign-darwin-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign .PHONY: cosign-darwin-amd64 cosign-darwin-amd64: ## Build for Darwin (macOS) - env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o cosign-darwin-amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign - -.PHONY: cosign-linux-amd64 -cosign-linux-amd64: ## Build for Linux amd64 - env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o cosign-linux-amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign - -.PHONY: cosign-linux-arm64 -cosign-linux-arm64: ## Build for Linux arm64 - env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o cosign-linux-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign - -.PHONY: cosign-linux-ppc64le -cosign-linux-ppc64le: ## Build for Linux ppc64le - env CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -o cosign-linux-ppc64le -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign - -.PHONY: cosign-linux-s390x -cosign-linux-s390x: ## Build for Linux s390x - env CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build -o cosign-linux-s390x -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign + env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=darwin GOARCH=amd64 go build -o cosign-darwin-amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign .PHONY: cosign-windows-amd64 cosign-windows-amd64: ## Build for Windows - env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o cosign-windows-amd64.exe -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign + env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=windows GOARCH=amd64 go build -o cosign-windows-amd64.exe -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign diff --git a/Dockerfile.cosign.rh b/Dockerfile.cosign.rh index 8073aa7e62c..ce4d49b7f2d 100644 --- a/Dockerfile.cosign.rh +++ b/Dockerfile.cosign.rh @@ -1,6 +1,5 @@ # Build stage - -FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:380d6de9bbc5a42ca13d425be99958fb397317664bb8a00e49d464e62cc8566c AS build-env +FROM registry.redhat.io/ubi9/go-toolset:9.7 AS build-env ENV GOEXPERIMENT=strictfipsruntime ENV CGO_ENABLED=1 @@ -14,12 +13,14 @@ RUN git config --global --add safe.directory /cosign && \ export GIT_HASH=$(git rev-parse HEAD) && \ export BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') && \ go mod vendor && \ + GIT_TREESTATE=clean && \ + LDFLAGS="-X sigs.k8s.io/release-utils/version.gitVersion=${GIT_VERSION} \ + -X sigs.k8s.io/release-utils/version.gitCommit=${GIT_HASH} \ + -X sigs.k8s.io/release-utils/version.gitTreeState=${GIT_TREESTATE} \ + -X sigs.k8s.io/release-utils/version.buildDate=${BUILD_DATE}"; \ + go build -o cosign-linux -trimpath -ldflags "${LDFLAGS} -w -s" ./cmd/cosign && \ + gzip -k cosign-linux && \ make -f Build.mak cross-platform && \ - cp cosign-linux-amd64 cosign && \ - gzip cosign-linux-amd64 && \ - gzip cosign-linux-ppc64le && \ - gzip cosign-linux-s390x && \ - gzip cosign-linux-arm64 && \ gzip cosign-darwin-amd64 && \ gzip cosign-darwin-arm64 && \ gzip cosign-windows-amd64.exe && \ @@ -36,27 +37,20 @@ LABEL summary="Provides the cosign CLI binary for signing and verifying containe LABEL com.redhat.component="cosign" LABEL name="rhtas/cosign-rhel9" +COPY --from=build-env /cosign/cosign-linux /usr/local/bin/cosign +COPY --from=build-env /cosign/cosign-linux.gz /usr/local/bin/cosign.gz COPY --from=build-env /cosign/cosign-darwin-amd64.gz /usr/local/bin/cosign-darwin-amd64.gz COPY --from=build-env /cosign/cosign-windows-amd64.exe.gz /usr/local/bin/cosign-windows-amd64.exe.gz COPY --from=build-env /cosign/cosign-darwin-arm64.gz /usr/local/bin/cosign-darwin-arm64.gz -COPY --from=build-env /cosign/cosign-linux-arm64.gz /usr/local/bin/cosign-linux-arm64.gz -COPY --from=build-env /cosign/cosign-linux-ppc64le.gz /usr/local/bin/cosign-linux-ppc64le.gz -COPY --from=build-env /cosign/cosign-linux-s390x.gz /usr/local/bin/cosign-linux-s390x.gz -COPY --from=build-env /cosign/cosign-linux-amd64.gz /usr/local/bin/cosign-linux-amd64.gz -COPY --from=build-env /cosign/cosign /usr/local/bin/cosign COPY LICENSE /licenses/license.txt -RUN chown root:0 /usr/local/bin/cosign && \ - chmod g+wx /usr/local/bin/cosign && \ +RUN chown root:0 /usr/local/bin/cosign && chmod g+wx /usr/local/bin/cosign && \ + chown root:0 /usr/local/bin/cosign.gz && chmod g+wx /usr/local/bin/cosign.gz && \ chown root:0 /usr/local/bin/cosign-darwin-amd64.gz && chmod g+wx /usr/local/bin/cosign-darwin-amd64.gz && \ chown root:0 /usr/local/bin/cosign-darwin-arm64.gz && chmod g+wx /usr/local/bin/cosign-darwin-arm64.gz && \ - chown root:0 /usr/local/bin/cosign-windows-amd64.exe.gz && chmod g+wx /usr/local/bin/cosign-windows-amd64.exe.gz && \ - chown root:0 /usr/local/bin/cosign-linux-arm64.gz && chmod g+wx /usr/local/bin/cosign-linux-arm64.gz && \ - chown root:0 /usr/local/bin/cosign-linux-amd64.gz && chmod g+wx /usr/local/bin/cosign-linux-amd64.gz && \ - chown root:0 /usr/local/bin/cosign-linux-ppc64le.gz && chmod g+wx /usr/local/bin/cosign-linux-ppc64le.gz && \ - chown root:0 /usr/local/bin/cosign-linux-s390x.gz && chmod g+wx /usr/local/bin/cosign-linux-s390x.gz + chown root:0 /usr/local/bin/cosign-windows-amd64.exe.gz && chmod g+wx /usr/local/bin/cosign-windows-amd64.exe.gz -##Configure home directory +# Configure home directory ENV HOME=/home RUN chgrp -R 0 /${HOME} && chmod -R g=u /${HOME}