From a871409f0c60774eff7ed331df1c5cc2f2f00a93 Mon Sep 17 00:00:00 2001 From: JasonPowr Date: Fri, 31 Oct 2025 14:01:41 +0000 Subject: [PATCH] ci: add fips check --- .tekton/fetch-tsa-certs-pull-request.yaml | 14 ++++++---- .tekton/fetch-tsa-certs-push.yaml | 14 ++++++---- .tekton/timestamp-authority-pull-request.yaml | 6 ++--- .tekton/timestamp-authority-push.yaml | 6 ++--- Build.mak | 26 +++++-------------- Dockerfile.fetch_tsa_certs.rh | 23 ++++++---------- 6 files changed, 36 insertions(+), 53 deletions(-) diff --git a/.tekton/fetch-tsa-certs-pull-request.yaml b/.tekton/fetch-tsa-certs-pull-request.yaml index 73ca2174..13264425 100644 --- a/.tekton/fetch-tsa-certs-pull-request.yaml +++ b/.tekton/fetch-tsa-certs-pull-request.yaml @@ -44,6 +44,14 @@ spec: CGO_ENABLED=0 go build -trimpath -o bin/timestamp-cli ./cmd/timestamp-cli CGO_ENABLED=0 go build -trimpath -o bin/timestamp-server ./cmd/timestamp-server go test ./... + - name: build-platforms + value: + - linux/x86_64 + - linux/arm64 + - linux/ppc64le + - linux/s390x + - name: fips-check + value: "true" pipelineRef: params: - name: url @@ -51,14 +59,10 @@ spec: - name: revision value: main - name: pathInRepo - value: pipelines/docker-build-oci-ta.yaml + value: pipelines/docker-build-multi-platform-oci-ta.yaml resolver: git taskRunSpecs: - pipelineTaskName: run-unit-test - podTemplate: - imagePullSecrets: - - name: brew-registry-pull-secret - serviceAccountName: build-pipeline-timestamp-authority stepSpecs: - computeResources: limits: diff --git a/.tekton/fetch-tsa-certs-push.yaml b/.tekton/fetch-tsa-certs-push.yaml index 06f91827..a485fccc 100644 --- a/.tekton/fetch-tsa-certs-push.yaml +++ b/.tekton/fetch-tsa-certs-push.yaml @@ -41,6 +41,14 @@ spec: CGO_ENABLED=0 go build -trimpath -o bin/timestamp-cli ./cmd/timestamp-cli CGO_ENABLED=0 go build -trimpath -o bin/timestamp-server ./cmd/timestamp-server go test ./... + - name: build-platforms + value: + - linux/x86_64 + - linux/arm64 + - linux/ppc64le + - linux/s390x + - name: fips-check + value: "true" pipelineRef: params: - name: url @@ -48,14 +56,10 @@ spec: - name: revision value: main - name: pathInRepo - value: pipelines/docker-build-oci-ta.yaml + value: pipelines/docker-build-multi-platform-oci-ta.yaml resolver: git taskRunSpecs: - pipelineTaskName: run-unit-test - podTemplate: - imagePullSecrets: - - name: brew-registry-pull-secret - serviceAccountName: build-pipeline-timestamp-authority stepSpecs: - computeResources: limits: diff --git a/.tekton/timestamp-authority-pull-request.yaml b/.tekton/timestamp-authority-pull-request.yaml index ba64a753..6a86212b 100644 --- a/.tekton/timestamp-authority-pull-request.yaml +++ b/.tekton/timestamp-authority-pull-request.yaml @@ -44,6 +44,8 @@ spec: CGO_ENABLED=0 go build -trimpath -o bin/timestamp-cli ./cmd/timestamp-cli CGO_ENABLED=0 go build -trimpath -o bin/timestamp-server ./cmd/timestamp-server go test ./... + - name: fips-check + value: "true" pipelineRef: params: - name: url @@ -55,10 +57,6 @@ spec: resolver: git taskRunSpecs: - pipelineTaskName: run-unit-test - podTemplate: - imagePullSecrets: - - name: brew-registry-pull-secret - serviceAccountName: build-pipeline-timestamp-authority stepSpecs: - computeResources: limits: diff --git a/.tekton/timestamp-authority-push.yaml b/.tekton/timestamp-authority-push.yaml index 63680f1f..d5d6b389 100644 --- a/.tekton/timestamp-authority-push.yaml +++ b/.tekton/timestamp-authority-push.yaml @@ -41,6 +41,8 @@ spec: CGO_ENABLED=0 go build -trimpath -o bin/timestamp-cli ./cmd/timestamp-cli CGO_ENABLED=0 go build -trimpath -o bin/timestamp-server ./cmd/timestamp-server go test ./... + - name: fips-check + value: "true" pipelineRef: params: - name: url @@ -52,10 +54,6 @@ spec: resolver: git taskRunSpecs: - pipelineTaskName: run-unit-test - podTemplate: - imagePullSecrets: - - name: brew-registry-pull-secret - serviceAccountName: build-pipeline-timestamp-authority stepSpecs: - computeResources: limits: diff --git a/Build.mak b/Build.mak index 6d2a5eea..70e35324 100644 --- a/Build.mak +++ b/Build.mak @@ -1,30 +1,16 @@ +FIPS_MODULE ?= latest + .PHONY: -cross-platform: fetch-tsa-certs-darwin-arm64 fetch-tsa-certs-darwin-amd64 fetch-tsa-certs-linux-amd64 fetch-tsa-certs-linux-arm64 fetch-tsa-certs-linux-ppc64le fetch-tsa-certs-linux-s390x fetch-tsa-certs-windows ## Build all distributable (cross-platform) binaries +cross-platform: fetch-tsa-certs-darwin-arm64 fetch-tsa-certs-darwin-amd64 fetch-tsa-certs-windows ## Build all distributable (cross-platform) binaries .PHONY: fetch-tsa-certs-darwin-arm64 fetch-tsa-certs-darwin-arm64: ## Build for mac M1 - env CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -mod=readonly -o fetch_tsa_certs_darwin_arm64 -trimpath ./cmd/fetch-tsa-certs + env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=darwin GOARCH=arm64 go build -mod=readonly -o fetch_tsa_certs_darwin_arm64 -trimpath ./cmd/fetch-tsa-certs .PHONY: fetch-tsa-certs-darwin-amd64 fetch-tsa-certs-darwin-amd64: ## Build for Darwin (macOS) - env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_darwin_amd64 -trimpath ./cmd/fetch-tsa-certs - -.PHONY: fetch-tsa-certs-linux-amd64 -fetch-tsa-certs-linux-amd64: ## Build for Linux amd64 - env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_linux_amd64 -trimpath ./cmd/fetch-tsa-certs - -.PHONY: fetch-tsa-certs-linux-arm64 -fetch-tsa-certs-linux-arm64: ## Build for Linux arm64 - env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -mod=readonly -o fetch_tsa_certs_linux_arm64 -trimpath ./cmd/fetch-tsa-certs - -.PHONY: fetch-tsa-certs-linux-ppc64le -fetch-tsa-certs-linux-ppc64le: ## Build for Linux ppc64le - env CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -mod=readonly -o fetch_tsa_certs_linux_ppc64le -trimpath ./cmd/fetch-tsa-certs - -.PHONY: fetch-tsa-certs-linux-s390x -fetch-tsa-certs-linux-s390x: ## Build for Linux s390x - env CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build -mod=readonly -o fetch_tsa_certs_linux_s390x -trimpath ./cmd/fetch-tsa-certs + env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=darwin GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_darwin_amd64 -trimpath ./cmd/fetch-tsa-certs .PHONY: fetch-tsa-certs-windows fetch-tsa-certs-windows: ## Build for Windows - env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_windows_amd64.exe -trimpath ./cmd/fetch-tsa-certs + env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=windows GOARCH=amd64 go build -mod=readonly -o fetch_tsa_certs_windows_amd64.exe -trimpath ./cmd/fetch-tsa-certs diff --git a/Dockerfile.fetch_tsa_certs.rh b/Dockerfile.fetch_tsa_certs.rh index 48440ac4..8b7dcf4d 100644 --- a/Dockerfile.fetch_tsa_certs.rh +++ b/Dockerfile.fetch_tsa_certs.rh @@ -1,4 +1,4 @@ -FROM registry.redhat.io/ubi9/go-toolset:9.6@sha256:84286c7555df503df0bd3acb86fe2ad50af82a07f35707918bb0fad312fdc193 as build-env +FROM registry.redhat.io/ubi9/go-toolset:9.7 as build-env ENV GOEXPERIMENT=strictfipsruntime ENV CGO_ENABLED=1 ENV APP_ROOT=/opt/app-root @@ -12,13 +12,11 @@ ADD ./cmd/ $APP_ROOT/src/cmd/ ADD ./pkg/ $APP_ROOT/src/pkg/ ADD ./Build.mak $APP_ROOT/src/Build.mak -RUN make -f Build.mak cross-platform && \ +RUN go build -mod=readonly -o fetch_tsa_certs_linux -trimpath ./cmd/fetch-tsa-certs && \ + gzip -k fetch_tsa_certs_linux && \ + make -f Build.mak cross-platform && \ gzip fetch_tsa_certs_darwin_arm64 && \ gzip fetch_tsa_certs_darwin_amd64 && \ - gzip fetch_tsa_certs_linux_amd64 && \ - gzip fetch_tsa_certs_linux_arm64 && \ - gzip fetch_tsa_certs_linux_ppc64le && \ - gzip fetch_tsa_certs_linux_s390x && \ gzip fetch_tsa_certs_windows_amd64.exe FROM registry.access.redhat.com/ubi9-minimal@sha256:7c5495d5fad59aaee12abc3cbbd2b283818ee1e814b00dbc7f25bf2d14fa4f0c @@ -35,19 +33,14 @@ LABEL name="rhtas/fetch-tsa-certs-rhel9" COPY LICENSE /licenses/license.txt +COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux /usr/local/bin/fetch_tsa_certs_linux +COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux.gz /usr/local/bin/fetch_tsa_certs_linux.gz COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_darwin_arm64.gz /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_darwin_amd64.gz /usr/local/bin/fetch_tsa_certs_darwin_amd64.gz -COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux_amd64.gz /usr/local/bin/fetch_tsa_certs_linux_amd64.gz -COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux_arm64.gz /usr/local/bin/fetch_tsa_certs_linux_arm64.gz -COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux_ppc64le.gz /usr/local/bin/fetch_tsa_certs_linux_ppc64le.gz -COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_linux_s390x.gz /usr/local/bin/fetch_tsa_certs_linux_s390x.gz COPY --from=build-env $APP_ROOT/src/fetch_tsa_certs_windows_amd64.exe.gz /usr/local/bin/fetch_tsa_certs_windows_amd64.exe.gz -RUN chown root:0 /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz && \ +RUN chown root:0 /usr/local/bin/fetch_tsa_certs_linux.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux.gz && \ + chown root:0 /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_darwin_arm64.gz && \ chown root:0 /usr/local/bin/fetch_tsa_certs_darwin_amd64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_darwin_amd64.gz && \ - chown root:0 /usr/local/bin/fetch_tsa_certs_linux_arm64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux_arm64.gz && \ - chown root:0 /usr/local/bin/fetch_tsa_certs_linux_amd64.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux_amd64.gz && \ - chown root:0 /usr/local/bin/fetch_tsa_certs_linux_ppc64le.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux_ppc64le.gz && \ - chown root:0 /usr/local/bin/fetch_tsa_certs_linux_s390x.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_linux_s390x.gz && \ chown root:0 /usr/local/bin/fetch_tsa_certs_windows_amd64.exe.gz && chmod g+wx /usr/local/bin/fetch_tsa_certs_windows_amd64.exe.gz && \ chgrp -R 0 /${HOME} && chmod -R g=u /${HOME}