use gcp kms to sign the release (#427)

* use gcp kms to sign Signed-off-by: Carlos Panato <ctadeu@gmail.com> * add release-cosign.pub key Signed-off-by: Carlos Panato <ctadeu@gmail.com>
sigstore · Jul 12, 2021 · 9204f4e · 9204f4e
1 parent 47c48ce
commit 9204f4e
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 10 deletions.
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -73,7 +73,7 @@ signs:
   - id: cosign
     signature: "${artifact}.sig"
     cmd: ./dist/cosign-linux_linux_amd64/cosign_linux_amd64
-    args: ["sign-blob", "-output", "${artifact}.sig", "-key", "./.github/workflows/cosign.key", "${artifact}"]
+    args: ["sign-blob", "-output", "${artifact}.sig", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
     stdin: "{{ .Env.COSIGN_PASSWORD }}"
 
@@ -95,4 +95,4 @@ release:
     ### Thanks for all contributors!
 
   extra_files:
-    - glob: "./.github/workflows/cosign.pub"
+    - glob: "./release/release-cosign.pub"
diff --git a/Makefile b/Makefile
@@ -111,5 +111,5 @@ docker-cloudbuild:
 sign-container-cloudbuild: docker-cloudbuild
 	docker push gcr.io/${PROJECT_ID}/cosign:$(GIT_HASH)
 	docker push gcr.io/${PROJECT_ID}/cosign:$(GIT_TAG)
-	cosign sign -key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) gcr.io/${PROJECT_ID}/cosign:$(GIT_HASH)
-	cosign sign -key .github/workflows/cosign.key -a GIT_TAG=$(GIT_TAG) gcr.io/${PROJECT_ID}/cosign:$(GIT_TAG)
+	cosign sign -key gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION} -a GIT_HASH=$(GIT_HASH) gcr.io/${PROJECT_ID}/cosign:$(GIT_HASH)
+	cosign sign -key gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION} -a GIT_TAG=$(GIT_TAG) gcr.io/${PROJECT_ID}/cosign:$(GIT_TAG)
diff --git a/release/README.md b/release/README.md
@@ -11,7 +11,7 @@ This directory contain the files and scripts to run a cosign release.
 
 ```shell
 $ gcloud builds submit --config <PATH_TO_CLOUDBUILD> \
-   --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=cosign,_TOOL_REF=main,_STORAGE_LOCATION=cosign-releases \
+   --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=cosign,_TOOL_REF=main,_STORAGE_LOCATION=cosign-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME> \
    --project <GCP_PROJECT>
 ```
 
@@ -24,6 +24,11 @@ Where:
 - `_TOOL_REPO` is the repository we will use to clone. Default `cosign`.
 - `_TOOL_REF` is the branch we will use to cut a release. Default `main`.
 - `_STORAGE_LOCATION` where to push the built artifacts. Default `cosign-releases`.
+- `_KEY_RING` key ring name of your cosign key.
+- `_KEY_NAME` key name of your  cosign key.
+- `_KEY_VERSION` version of the key storaged in KMS. Default `1`.
+- `_KEY_LOCATION` location in GCP where the key is storaged. Default `global`.
+
 
 3. When the job finish, whithout issues, you should be able to see in GitHub a draft release.
 You now can review the release, make any changes if needed and then publish to make it an official release.

diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
@@ -39,9 +39,13 @@ steps:
   env:
   - "GOPATH=/workspace/go"
   - "GOBIN=/workspace/bin"
+  - PROJECT_ID=${PROJECT_ID}
+  - KEY_LOCATION=${_KEY_LOCATION}
+  - KEY_RING=${_KEY_RING}
+  - KEY_NAME=${_KEY_NAME}
+  - KEY_VERSION=${_KEY_VERSION}
   secretEnv:
   - GITHUB_TOKEN
-  - COSIGN_PASSWORD
   args:
     - '-c'
     - |
@@ -54,22 +58,22 @@ steps:
   env:
   - GIT_TAG=${_GIT_TAG}
   - PROJECT_ID=${PROJECT_ID}
+  - KEY_LOCATION=${_KEY_LOCATION}
+  - KEY_RING=${_KEY_RING}
+  - KEY_NAME=${_KEY_NAME}
+  - KEY_VERSION=${_KEY_VERSION}
   args:
   - '-c'
   - |
     apt-get update
     apt-get install libpcsclite-dev -y
     cp ./dist/cosign-linux_linux_amd64/cosign_linux_amd64 /usr/local/bin/cosign
     make sign-container-cloudbuild
-  secretEnv:
-  - COSIGN_PASSWORD
 
 availableSecrets:
   secretManager:
   - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
     env: GITHUB_TOKEN
-  - versionName: projects/${PROJECT_NUMBER}/secrets/COSIGN_PASSWORD/versions/latest
-    env: COSIGN_PASSWORD
 
 artifacts:
   objects:
@@ -94,3 +98,7 @@ substitutions:
   _TOOL_REPO: 'honk-repo'
   _TOOL_REF: 'release-honk'
   _STORAGE_LOCATION: 'honk'
+  _KEY_RING: 'honk-ring'
+  _KEY_NAME: 'honk-crypto'
+  _KEY_VERSION: '1'
+  _KEY_LOCATION: 'global'
diff --git a/release/release-cosign.pub b/release/release-cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt
+IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
+-----END PUBLIC KEY-----