diff --git a/cmd/cmrel/cmd/gcb_publish.go b/cmd/cmrel/cmd/gcb_publish.go index 932f98b..04df9bf 100644 --- a/cmd/cmrel/cmd/gcb_publish.go +++ b/cmd/cmrel/cmd/gcb_publish.go @@ -286,6 +286,11 @@ func runGCBPublish(rootOpts *rootOptions, o *gcbPublishOptions) error { if _, err := sign.NewGCPKMSKey(o.SigningKMSKey); err != nil { return err } + + log.Printf("getting cosign version information") + if err := cosign.Version(ctx, o.CosignPath); err != nil { + return fmt.Errorf("failed to query cosign version: %w", err) + } } // fetch the staged release from GCS @@ -523,9 +528,13 @@ func pushContainerImages(ctx context.Context, o *gcbPublishOptions, rel *release log.Printf("Pushed multi-arch manifest list %q", manifestListName) } - if err := signRegistryContent(ctx, o, pushedContent); err != nil { - return fmt.Errorf("failed to sign images: %w", err) - } + // TODO: since cert-manager images are currently pushed to quay.io, we can't actually sign + // the images since quay doesn't support cosign signatures. when it's upgraded to 3.6, we can + // uncomment this and sign. + // see: https://github.com/sigstore/cosign/issues/40#issuecomment-833217878 + // if err := signRegistryContent(ctx, o, pushedContent); err != nil { + // return fmt.Errorf("failed to sign images: %w", err) + // } return nil } diff --git a/gcb/publish/cloudbuild.yaml b/gcb/publish/cloudbuild.yaml index d55aae6..50ea3b3 100644 --- a/gcb/publish/cloudbuild.yaml +++ b/gcb/publish/cloudbuild.yaml @@ -19,7 +19,22 @@ secrets: steps: -## Clone & checkout the cert-manager release repository +## Clone & checkout the cosign repository, then build and install +# You'd think we could just use "go install" but the gopath setup in this builder container +# is roughly equivalent to a labyrinth. Nothing works as expected in this image; running it +# locally won't help. The original cmrel build below works, so I'm just copying that to end +# the nightmares and the pain. +- name: gcr.io/cloud-builders/go:alpine-1.16 + dir: "go/src/github.com/sigstore/cosign" + entrypoint: sh + args: + - -c + - | + set -e + git clone "${_COSIGN_REPO_URL}" . && git checkout "${_COSIGN_REPO_REF}" + CGO_ENABLED=0 go build -o /workspace/go/bin/cosign ./cmd/cosign + +## Clone & checkout the cert-manager release repository, then build and install - name: gcr.io/cloud-builders/go:alpine-1.16 dir: "go/src/github.com/cert-manager/release" entrypoint: sh @@ -29,7 +44,6 @@ steps: set -e git clone "${_RELEASE_REPO_URL}" . && git checkout "${_RELEASE_REPO_REF}" CGO_ENABLED=0 go build -o /workspace/go/bin/cmrel ./cmd/cmrel - GOBIN=/workspace/go/bin go install github.com/sigstore/cosign/cmd/cosign@v1.2.1 ## Write DOCKER_CONFIG file to $HOME/.docker/config.json - name: gcr.io/cloud-builders/docker:19.03.8 @@ -92,5 +106,7 @@ substitutions: _PUBLISH_ACTIONS: "*" ## Used as a tag to identify the build more easily later _TAG_RELEASE_NAME: "" - ## Points to cosign + ## Cosign details + _COSIGN_REPO_URL: https://github.com/sigstore/cosign + _COSIGN_REPO_REF: "v1.2.1" _COSIGN_PATH: "/workspace/go/bin/cosign" diff --git a/pkg/sign/cosign/cosign.go b/pkg/sign/cosign/cosign.go index a1c2d82..0d15d43 100644 --- a/pkg/sign/cosign/cosign.go +++ b/pkg/sign/cosign/cosign.go @@ -33,3 +33,8 @@ func Sign(ctx context.Context, cosignPath string, containers []string, key sign. return shell.Command(ctx, "", cosignPath, args...) } + +// Version calls "cosign version", both for informational purposes and as a check that the binary exists +func Version(ctx context.Context, cosignPath string) error { + return shell.Command(ctx, "", cosignPath, []string{"version"}...) +}