ci: add fips check

Author: JasonPowr

.tekton/fetch-tsa-certs-pull-request.yaml

@@ -44,21 +44,25 @@ spec:
       CGO_ENABLED=0 go build -trimpath -o bin/timestamp-cli ./cmd/timestamp-cli
       CGO_ENABLED=0 go build -trimpath -o bin/timestamp-server ./cmd/timestamp-server
       go test ./...
+  - name: build-platforms
+    value:
+      - linux/x86_64
+      - linux/arm64
+      - linux/ppc64le
+      - linux/s390x
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunSpecs:
   - pipelineTaskName: run-unit-test
-    podTemplate:
-      imagePullSecrets:
-      - name: brew-registry-pull-secret
-    serviceAccountName: appstudio-pipeline
     stepSpecs:
     - computeResources:
         limits:

.tekton/fetch-tsa-certs-push.yaml

@@ -41,21 +41,25 @@ spec:
       CGO_ENABLED=0 go build -trimpath -o bin/timestamp-cli ./cmd/timestamp-cli
       CGO_ENABLED=0 go build -trimpath -o bin/timestamp-server ./cmd/timestamp-server
       go test ./...
+  - name: build-platforms
+    value:
+      - linux/x86_64
+      - linux/arm64
+      - linux/ppc64le
+      - linux/s390x
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunSpecs:
   - pipelineTaskName: run-unit-test
-    podTemplate:
-      imagePullSecrets:
-      - name: brew-registry-pull-secret
-    serviceAccountName: appstudio-pipeline
     stepSpecs:
     - computeResources:
         limits:

.tekton/timestamp-authority-pull-request.yaml

@@ -44,6 +44,8 @@ spec:
       CGO_ENABLED=0 go build -trimpath -o bin/timestamp-cli ./cmd/timestamp-cli
       CGO_ENABLED=0 go build -trimpath -o bin/timestamp-server ./cmd/timestamp-server
       go test ./...
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
@@ -55,10 +57,6 @@ spec:
     resolver: git
   taskRunSpecs:
   - pipelineTaskName: run-unit-test
-    podTemplate:
-      imagePullSecrets:
-      - name: brew-registry-pull-secret
-    serviceAccountName: appstudio-pipeline
     stepSpecs:
     - computeResources:
         limits:

.tekton/timestamp-authority-push.yaml

@@ -41,6 +41,8 @@ spec:
       CGO_ENABLED=0 go build -trimpath -o bin/timestamp-cli ./cmd/timestamp-cli
       CGO_ENABLED=0 go build -trimpath -o bin/timestamp-server ./cmd/timestamp-server
       go test ./...
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
@@ -52,10 +54,6 @@ spec:
     resolver: git
   taskRunSpecs:
   - pipelineTaskName: run-unit-test
-    podTemplate:
-      imagePullSecrets:
-      - name: brew-registry-pull-secret
-    serviceAccountName: appstudio-pipeline
     stepSpecs:
     - computeResources:
         limits:

Build.mak

@@ -1,30 +1,16 @@
+FIPS_MODULE ?= latest
+
 .PHONY: 
-cross-platform: fetch-tsa-certs-darwin-arm64 fetch-tsa-certs-darwin-amd64 fetch-tsa-certs-linux-amd64 fetch-tsa-certs-linux-arm64 fetch-tsa-certs-linux-ppc64le fetch-tsa-certs-linux-s390x fetch-tsa-certs-windows ## Build all distributable (cross-platform) binaries
+cross-platform: fetch-tsa-certs-darwin-arm64 fetch-tsa-certs-darwin-amd64 fetch-tsa-certs-windows ## Build all distributable (cross-platform) binaries
 
 .PHONY:	fetch-tsa-certs-darwin-arm64
 fetch-tsa-certs-darwin-arm64: ## Build for mac M1
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -mod=readonly -o fetch_tsa_certs_darwin_arm64 -trimpath ./cmd/fetch-tsa-certs
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=darwin GOARCH=arm64 go build -mod=readonly -o fetch_tsa_certs_darwin_arm64 -trimpath ./cmd/fetch-tsa-certs
 
 .PHONY: fetch-tsa-certs-darwin-amd64
 fetch-tsa-certs-darwin-amd64:  ## Build for Darwin (macOS)
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_darwin_amd64 -trimpath ./cmd/fetch-tsa-certs
-
-.PHONY: fetch-tsa-certs-linux-amd64 
-fetch-tsa-certs-linux-amd64: ## Build for Linux amd64
-	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_linux_amd64 -trimpath ./cmd/fetch-tsa-certs
-
-.PHONY: fetch-tsa-certs-linux-arm64
-fetch-tsa-certs-linux-arm64: ## Build for Linux arm64
-	env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -mod=readonly -o fetch_tsa_certs_linux_arm64 -trimpath ./cmd/fetch-tsa-certs
-
-.PHONY: fetch-tsa-certs-linux-ppc64le
-fetch-tsa-certs-linux-ppc64le: ## Build for Linux ppc64le
-	env CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -mod=readonly -o fetch_tsa_certs_linux_ppc64le -trimpath ./cmd/fetch-tsa-certs
-
-.PHONY: fetch-tsa-certs-linux-s390x
-fetch-tsa-certs-linux-s390x:  ## Build for Linux s390x
-	env CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build -mod=readonly -o fetch_tsa_certs_linux_s390x -trimpath ./cmd/fetch-tsa-certs
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=darwin GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_darwin_amd64 -trimpath ./cmd/fetch-tsa-certs
 
 .PHONY: fetch-tsa-certs-windows
 fetch-tsa-certs-windows: ## Build for Windows
-	env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_windows_amd64.exe -trimpath ./cmd/fetch-tsa-certs
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=windows GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_windows_amd64.exe -trimpath ./cmd/fetch-tsa-certs

Dockerfile.fetch_tsa_certs.rh

@@ -1,4 +1,4 @@
-FROM registry.redhat.io/ubi9/go-toolset:9.6@sha256:84286c7555df503df0bd3acb86fe2ad50af82a07f35707918bb0fad312fdc193 as build-env
+FROM registry.redhat.io/ubi9/go-toolset:9.6 as build-env
 ENV GOEXPERIMENT=strictfipsruntime
 ENV CGO_ENABLED=1
 ENV APP_ROOT=/opt/app-root
@@ -12,13 +12,11 @@ ADD ./cmd/ $APP_ROOT/src/cmd/
 ADD ./pkg/ $APP_ROOT/src/pkg/
 ADD ./Build.mak $APP_ROOT/src/Build.mak
 
-RUN make -f Build.mak cross-platform && \
+RUN go build -mod=readonly -o fetch_tsa_certs_linux -trimpath ./cmd/fetch-tsa-certs && \
+    gzip -k fetch_tsa_certs_linux && \
+    make -f Build.mak cross-platform && \
     gzip fetch_tsa_certs_darwin_arm64 && \
     gzip fetch_tsa_certs_darwin_amd64 && \
-    gzip fetch_tsa_certs_linux_amd64 && \
-    gzip fetch_tsa_certs_linux_arm64 && \
-    gzip fetch_tsa_certs_linux_ppc64le && \
-    gzip fetch_tsa_certs_linux_s390x && \
     gzip fetch_tsa_certs_windows_amd64.exe
 
 FROM registry.access.redhat.com/ubi9-minimal@sha256:7c5495d5fad59aaee12abc3cbbd2b283818ee1e814b00dbc7f25bf2d14fa4f0c
@@ -35,19 +33,14 @@ LABEL name="rhtas/fetch-tsa-certs-rhel9"
 
 COPY LICENSE /licenses/license.txt
 
+COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux /usr/local/bin/fetch_tsa_certs_linux
+COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux.gz /usr/local/bin/fetch_tsa_certs_linux.gz
 COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_darwin_arm64.gz /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz
 COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_darwin_amd64.gz /usr/local/bin/fetch_tsa_certs_darwin_amd64.gz
-COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux_amd64.gz /usr/local/bin/fetch_tsa_certs_linux_amd64.gz
-COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux_arm64.gz /usr/local/bin/fetch_tsa_certs_linux_arm64.gz
-COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux_ppc64le.gz /usr/local/bin/fetch_tsa_certs_linux_ppc64le.gz
-COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux_s390x.gz /usr/local/bin/fetch_tsa_certs_linux_s390x.gz
 COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_windows_amd64.exe.gz /usr/local/bin/fetch_tsa_certs_windows_amd64.exe.gz
 
-RUN chown root:0 /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz && \
+RUN chown root:0 /usr/local/bin/fetch_tsa_certs_linux.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux.gz && \
+    chown root:0 /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz && \
     chown root:0 /usr/local/bin/fetch_tsa_certs_darwin_amd64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_darwin_amd64.gz && \
-    chown root:0 /usr/local/bin/fetch_tsa_certs_linux_arm64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux_arm64.gz && \
-    chown root:0 /usr/local/bin/fetch_tsa_certs_linux_amd64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux_amd64.gz && \
-    chown root:0 /usr/local/bin/fetch_tsa_certs_linux_ppc64le.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux_ppc64le.gz && \
-    chown root:0 /usr/local/bin/fetch_tsa_certs_linux_s390x.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux_s390x.gz && \
     chown root:0 /usr/local/bin/fetch_tsa_certs_windows_amd64.exe.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_windows_amd64.exe.gz && \
     chgrp -R 0 /${HOME} && chmod -R g=u /${HOME}