diff --git a/.cosign/README.md b/.cosign/README.md deleted file mode 100644 index a6f408456..000000000 --- a/.cosign/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Flagger signed releases - -Flagger releases published to GitHub Container Registry as multi-arch container images -are signed using [cosign](https://github.com/sigstore/cosign). - -## Verify Flagger images - -Install the [cosign](https://github.com/sigstore/cosign) CLI: - -```sh -brew install sigstore/tap/cosign -``` - -Verify a Flagger release with cosign CLI: - -```sh -cosign verify -key https://raw.githubusercontent.com/fluxcd/flagger/main/cosign/cosign.pub \ -ghcr.io/fluxcd/flagger:1.13.0 -``` - -Verify Flagger images before they get pulled on your Kubernetes clusters with [Kyverno](https://github.com/kyverno/kyverno/): - -```yaml -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-flagger-image - annotations: - policies.kyverno.io/title: Verify Flagger Image - policies.kyverno.io/category: Cosign - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.4.2 -spec: - validationFailureAction: enforce - background: false - rules: - - name: verify-image - match: - resources: - kinds: - - Pod - verifyImages: - - image: "ghcr.io/fluxcd/flagger:*" - key: |- - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEST+BqQ1XZhhVYx0YWQjdUJYIG5Lt - iz2+UxRIqmKBqNmce2T+l45qyqOs99qfD7gLNGmkVZ4vtJ9bM7FxChFczg== - -----END PUBLIC KEY----- -``` diff --git a/.cosign/cosign.key b/.cosign/cosign.key deleted file mode 100644 index 4e1345886..000000000 --- a/.cosign/cosign.key +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN ENCRYPTED COSIGN PRIVATE KEY----- -eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 -OCwicCI6MX0sInNhbHQiOiIvK1MwbTNrU3pGMFFXdVVYQkFoY2gvTDc3NVJBSy9O -cnkzUC9iMkxBZGF3PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 -Iiwibm9uY2UiOiJBNEFYL2IyU1BsMDBuY3JUNk45QkNOb0VLZTZLZEluRCJ9LCJj -aXBoZXJ0ZXh0IjoiZ054UlJweXpraWtRMUVaRldsSnEvQXVUWTl0Vis2enBlWkIy -dUFHREMzOVhUQlAwaWY5YStaZTE1V0NTT2FQZ01XQmtSZWhrQVVjQ3dZOGF2WTZa -eFhZWWE3T1B4eFdidHJuSUVZM2hwZUk1M1dVQVZ6SXEzQjl0N0ZmV1JlVGsxdFlo -b3hwQmxUSHY4U0c2azdPYk1aQnJleitzSGRWclF6YUdMdG12V1FOMTNZazRNb25i -ZUpRSUJpUXFQTFg5NzFhSUlxU0dxYVhCanc9PSJ9 ------END ENCRYPTED COSIGN PRIVATE KEY----- diff --git a/.cosign/cosign.pub b/.cosign/cosign.pub deleted file mode 100644 index 5ce10489e..000000000 --- a/.cosign/cosign.pub +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEST+BqQ1XZhhVYx0YWQjdUJYIG5Lt -iz2+UxRIqmKBqNmce2T+l45qyqOs99qfD7gLNGmkVZ4vtJ9bM7FxChFczg== ------END PUBLIC KEY----- diff --git a/.github/workflows/push-ld.yml b/.github/workflows/push-ld.yml index bab8de918..19d32a222 100644 --- a/.github/workflows/push-ld.yml +++ b/.github/workflows/push-ld.yml @@ -12,9 +12,11 @@ jobs: release-load-tester: runs-on: ubuntu-latest permissions: + id-token: write packages: write steps: - uses: actions/checkout@v2 + - uses: sigstore/cosign-installer@main - name: Prepare id: prep run: | @@ -52,6 +54,8 @@ jobs: REVISION=${{ github.sha }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - name: Check images + - name: Sign image + env: + COSIGN_EXPERIMENTAL: 1 run: | - docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }} + cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 301d9e360..1914fcb5d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: id-token: write # needed for keyless signing packages: write # needed for ghcr access steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: sigstore/cosign-installer@main - name: Prepare id: prep @@ -29,12 +29,12 @@ jobs: echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ') echo ::set-output name=VERSION::${VERSION} - name: Setup QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 - name: Setup Docker Buildx id: buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: Login to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: ghcr.io username: fluxcdbot @@ -60,17 +60,10 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Sign image + env: + COSIGN_EXPERIMENTAL: 1 run: | - echo -n "${{secrets.COSIGN_PASSWORD}}" | \ - cosign sign -key ./.cosign/cosign.key -a git_sha=$GITHUB_SHA \ - ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }} - - name: Check images - run: | - docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }} - - name: Verifiy image signature - run: | - cosign verify -key ./.cosign/cosign.pub \ - ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }} + cosign sign ${{ env.IMAGE }}:${{ steps.prep.outputs.VERSION }} - name: Publish Helm charts uses: stefanprodan/helm-gh-pages@v1.6.0 with: diff --git a/.goreleaser.yml b/.goreleaser.yml index 1799bdfc5..7be9a2029 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -15,3 +15,16 @@ sboms: artifacts: source documents: - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json" + +signs: + - cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + certificate: '${artifact}.pem' + args: + - sign-blob + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + artifacts: checksum + output: true