feat: add cosign signature via goreleaser (#4)

vdbulcke · Mar 25, 2023 · 8bf0281 · 8bf0281
1 parent ae3eb74
commit 8bf0281
Show file tree

Hide file tree

Showing 5 changed files with 120 additions and 24 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,7 +15,7 @@ permissions:
   contents: write
   # ## for ghcr.io registry 
   # packages: write
-
+  id-token: write # needed for signing the images with GitHub OIDC Token
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
@@ -29,11 +29,10 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+      - name: Setup Go
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.19
+          go-version-file: go.mod
 
       # - name: dockerhub-login
       #   uses: docker/login-action@v1
@@ -47,16 +46,21 @@ jobs:
       #     registry: ${{ env.REGISTRY }}
       #     username: ${{ github.actor }}
       #     password: ${{ secrets.GITHUB_TOKEN }}
-
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           # either 'goreleaser' (default) or 'goreleaser-pro'
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ## Cosign ENV Vars
+          COSIGN_EXPERIMENTAL: 1
+          COSIGN_YES: true
           # Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution
           # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -21,16 +21,27 @@ builds:
       # - 386
     ldflags:
       ## auto inject commit and version at build time
-      - -X github.com/vdbulcke/hc-vault-util/cmd.GitCommit={{ .ShortCommit }} -X github.com/vdbulcke/hc-vault-util/cmd.Version={{ .Version }}  -X github.com/vdbulcke/hc-vault-util/cmd.Date={{ .CommitDate }} -X github.com/vdbulcke/hc-vault-util/cmd.BuiltBy=goreleaser
+      - -X github.com/vdbulcke/hc-vault-util/cmd.GitCommit={{ .ShortCommit }} 
+      - -X github.com/vdbulcke/hc-vault-util/cmd.Version=v{{ .Version }} 
+      - -X github.com/vdbulcke/hc-vault-util/cmd.Date={{ .CommitDate }} 
+      - -X github.com/vdbulcke/hc-vault-util/cmd.BuiltBy=goreleaser
 archives:
   - 
-    replacements:
-      ## Rewrite Archive name 
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-      386: i386
-      amd64: x86_64
+    ## Deprecated "replacements"
+    # replacements:
+    #   ## Rewrite Archive name 
+    #   darwin: Darwin
+    #   linux: Linux
+    #   windows: Windows
+    #   386: i386
+    #   amd64: x86_64
+    name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
     ## use zip for windows release
     format_overrides:
       - goos: windows
@@ -39,9 +50,9 @@ archives:
     - LICENSE
 
 ## create MacOS universal binary
-universal_binaries:
-## set to true to ONLY generate a universal binary 
-- replace: false
+# universal_binaries:
+# ## set to true to ONLY generate a universal binary 
+# - replace: false
 
 checksum:
   name_template: 'checksums.txt'
@@ -73,6 +84,21 @@ changelog:
       order: 1
     - title: Others
       order: 999
+##
+## Cosign
+##
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    certificate: '${artifact}.pem'
+    output: true
+    args: 
+      - "sign-blob"
+      - "--oidc-issuer=https://token.actions.githubusercontent.com" 
+      - "--output-certificate=${artifact}.pem"
+      - "--output-signature=${artifact}.sig" 
+      - "${artifact}"
+    artifacts: all
 
 # dockers:
 #   - 

diff --git a/Makefile b/Makefile
@@ -2,25 +2,24 @@
 
 .PHONY:	scan
 scan: 
-	go list -json -deps |  nancy sleuth
 	trivy fs . 
 
 .PHONY: build
 build: 
-	goreleaser build --rm-dist
+	goreleaser build --clean
 
 .PHONY: build-snapshot
 build-snapshot: 
-	goreleaser build --rm-dist --snapshot --single-target
+	goreleaser build --clean --snapshot --single-target
 
 
 .PHONY: release-skip-publish
 release-skip-publish: 
-	goreleaser release --rm-dist --skip-publish 
+	goreleaser release --clean --skip-publish  --skip-sign
 
 .PHONY: release-snapshot
 release-snapshot: 
-	goreleaser release --rm-dist --skip-publish --snapshot
+	goreleaser release --clean --skip-publish --snapshot  --skip-sign
 
 
 .PHONY: lint
@@ -32,6 +31,9 @@ lint:
 changelog: 
 	git-chglog -o CHANGELOG.md 
 
+.PHONY: view-changelog
+view-changelog: 
+	git-chglog 
 
 .PHONY: test
 test:
@@ -42,7 +44,7 @@ test:
 .PHONY: gen-doc
 gen-doc: 
 	mkdir -p ./doc
-	./dist/hc-vault-util_linux_amd64/hc-vault-util  documentation  --dir ./doc
+	./dist/hc-vault-util_linux_amd64_v1/hc-vault-util  documentation  --dir ./doc
 
 .PHONY: doc-site
 doc-site: 

diff --git a/README.md b/README.md
@@ -5,11 +5,35 @@
 ## Features
 
 - Vault transit backend import private key using key wrapping 
+    - See [transit-import-key Tutorial](https://github.com/vdbulcke/terraform-vault-sample/blob/main/tutorial/transit-import-key/README.md)
 - Generate CSR from Vault transit key using [cfssl json csr format](https://github.com/cloudflare/cfssl#signing)
+    - See [transit-gencsr Tutorial](https://github.com/vdbulcke/terraform-vault-sample/blob/main/tutorial/transit-gencsr/README.md)
+
+[Changelog](./CHANGELOG.md)
+
+
 
 ## Install & Documentation 
 
 - [Install](https://vdbulcke.github.io/hc-vault-util/install/) instruction
 - [CLI Doc](./doc/hc-vault-util.md)
 - [Documentation](https://vdbulcke.github.io/hc-vault-util/)
 
+### Validate Signature With Cosign
+
+Make sure you have `cosign` installed locally (see [Cosign Install](https://docs.sigstore.dev/cosign/installation/)).
+
+
+Then you can use the `./verify_signature.sh` in this repo: 
+
+```bash
+./verify_signature.sh PATH_TO_DOWNLOADED_ARCHIVE TAG_VERSION
+```
+for example
+```bash
+$ ./verify_signature.sh  ~/Downloads/hc-vault-util_0.2.0_Linux_x86_64.tar.gz v0.3.0
+
+Checking Signature for version: v0.3.0
+Verified OK
+
+```
diff --git a/verify_signature.sh b/verify_signature.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+
+if [ -z "$1" ]; then 
+    echo "Error: missing articate package as 1st input"
+    echo "Usage: "
+    echo "  $0 ARTIFACT_PACKAGE TAG"
+
+    exit 1
+
+fi
+
+if [ ! -f "$1" ] ; then  
+   echo "Error: artifcact $1 does not exists"
+   exit 1
+
+fi
+
+artifcat_path=$1
+artifact=$(basename $artifcat_path)
+
+if [ -z "$2" ]; then
+    echo "Error: missing tag  as 2nd input"
+    echo "Usage: "
+    echo "  $0 $1  TAG"
+
+    exit 1
+
+fi
+
+TAG=$2
+
+
+echo "Checking Signature for version: ${TAG}"
+cosign verify-blob \
+  --certificate "https://github.com/vdbulcke/hc-vault-util/releases/download/${TAG}/${artifact}.pem" \
+  --signature "https://github.com/vdbulcke/hc-vault-util/releases/download/${TAG}/${artifact}.sig"  \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com  \
+  --certificate-identity  "https://github.com/vdbulcke/hc-vault-util/.github/workflows/release.yaml@refs/tags/${TAG}"  \
+  ${artifcat_path}