From 8bf0281d2737608d2ea97221dac5edbd1ae0af35 Mon Sep 17 00:00:00 2001 From: vdbulcke Date: Sat, 25 Mar 2023 18:32:50 +0100 Subject: [PATCH] feat: add cosign signature via goreleaser (#4) --- .github/workflows/release.yaml | 18 ++++++++----- .goreleaser.yml | 48 ++++++++++++++++++++++++++-------- Makefile | 14 +++++----- README.md | 24 +++++++++++++++++ verify_signature.sh | 40 ++++++++++++++++++++++++++++ 5 files changed, 120 insertions(+), 24 deletions(-) create mode 100755 verify_signature.sh diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 47b21c3..73f9bf2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ permissions: contents: write # ## for ghcr.io registry # packages: write - + id-token: write # needed for signing the images with GitHub OIDC Token env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} @@ -29,11 +29,10 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - - name: Set up Go - uses: actions/setup-go@v2 + - name: Setup Go + uses: actions/setup-go@v3 with: - go-version: 1.19 + go-version-file: go.mod # - name: dockerhub-login # uses: docker/login-action@v1 @@ -47,7 +46,9 @@ jobs: # registry: ${{ env.REGISTRY }} # username: ${{ github.actor }} # password: ${{ secrets.GITHUB_TOKEN }} - + - name: Install Cosign + uses: sigstore/cosign-installer@main + - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 @@ -55,8 +56,11 @@ jobs: # either 'goreleaser' (default) or 'goreleaser-pro' distribution: goreleaser version: latest - args: release --rm-dist + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ## Cosign ENV Vars + COSIGN_EXPERIMENTAL: 1 + COSIGN_YES: true # Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml index f5004a0..87741eb 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -21,16 +21,27 @@ builds: # - 386 ldflags: ## auto inject commit and version at build time - - -X github.com/vdbulcke/hc-vault-util/cmd.GitCommit={{ .ShortCommit }} -X github.com/vdbulcke/hc-vault-util/cmd.Version={{ .Version }} -X github.com/vdbulcke/hc-vault-util/cmd.Date={{ .CommitDate }} -X github.com/vdbulcke/hc-vault-util/cmd.BuiltBy=goreleaser + - -X github.com/vdbulcke/hc-vault-util/cmd.GitCommit={{ .ShortCommit }} + - -X github.com/vdbulcke/hc-vault-util/cmd.Version=v{{ .Version }} + - -X github.com/vdbulcke/hc-vault-util/cmd.Date={{ .CommitDate }} + - -X github.com/vdbulcke/hc-vault-util/cmd.BuiltBy=goreleaser archives: - - replacements: - ## Rewrite Archive name - darwin: Darwin - linux: Linux - windows: Windows - 386: i386 - amd64: x86_64 + ## Deprecated "replacements" + # replacements: + # ## Rewrite Archive name + # darwin: Darwin + # linux: Linux + # windows: Windows + # 386: i386 + # amd64: x86_64 + name_template: >- + {{ .ProjectName }}_{{ .Version }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} ## use zip for windows release format_overrides: - goos: windows @@ -39,9 +50,9 @@ archives: - LICENSE ## create MacOS universal binary -universal_binaries: -## set to true to ONLY generate a universal binary -- replace: false +# universal_binaries: +# ## set to true to ONLY generate a universal binary +# - replace: false checksum: name_template: 'checksums.txt' @@ -73,6 +84,21 @@ changelog: order: 1 - title: Others order: 999 +## +## Cosign +## +signs: + - cmd: cosign + signature: "${artifact}.sig" + certificate: '${artifact}.pem' + output: true + args: + - "sign-blob" + - "--oidc-issuer=https://token.actions.githubusercontent.com" + - "--output-certificate=${artifact}.pem" + - "--output-signature=${artifact}.sig" + - "${artifact}" + artifacts: all # dockers: # - diff --git a/Makefile b/Makefile index b37384b..58795af 100644 --- a/Makefile +++ b/Makefile @@ -2,25 +2,24 @@ .PHONY: scan scan: - go list -json -deps | nancy sleuth trivy fs . .PHONY: build build: - goreleaser build --rm-dist + goreleaser build --clean .PHONY: build-snapshot build-snapshot: - goreleaser build --rm-dist --snapshot --single-target + goreleaser build --clean --snapshot --single-target .PHONY: release-skip-publish release-skip-publish: - goreleaser release --rm-dist --skip-publish + goreleaser release --clean --skip-publish --skip-sign .PHONY: release-snapshot release-snapshot: - goreleaser release --rm-dist --skip-publish --snapshot + goreleaser release --clean --skip-publish --snapshot --skip-sign .PHONY: lint @@ -32,6 +31,9 @@ lint: changelog: git-chglog -o CHANGELOG.md +.PHONY: view-changelog +view-changelog: + git-chglog .PHONY: test test: @@ -42,7 +44,7 @@ test: .PHONY: gen-doc gen-doc: mkdir -p ./doc - ./dist/hc-vault-util_linux_amd64/hc-vault-util documentation --dir ./doc + ./dist/hc-vault-util_linux_amd64_v1/hc-vault-util documentation --dir ./doc .PHONY: doc-site doc-site: diff --git a/README.md b/README.md index 5296f5c..50089cc 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,13 @@ ## Features - Vault transit backend import private key using key wrapping + - See [transit-import-key Tutorial](https://github.com/vdbulcke/terraform-vault-sample/blob/main/tutorial/transit-import-key/README.md) - Generate CSR from Vault transit key using [cfssl json csr format](https://github.com/cloudflare/cfssl#signing) + - See [transit-gencsr Tutorial](https://github.com/vdbulcke/terraform-vault-sample/blob/main/tutorial/transit-gencsr/README.md) + +[Changelog](./CHANGELOG.md) + + ## Install & Documentation @@ -13,3 +19,21 @@ - [CLI Doc](./doc/hc-vault-util.md) - [Documentation](https://vdbulcke.github.io/hc-vault-util/) +### Validate Signature With Cosign + +Make sure you have `cosign` installed locally (see [Cosign Install](https://docs.sigstore.dev/cosign/installation/)). + + +Then you can use the `./verify_signature.sh` in this repo: + +```bash +./verify_signature.sh PATH_TO_DOWNLOADED_ARCHIVE TAG_VERSION +``` +for example +```bash +$ ./verify_signature.sh ~/Downloads/hc-vault-util_0.2.0_Linux_x86_64.tar.gz v0.3.0 + +Checking Signature for version: v0.3.0 +Verified OK + +``` \ No newline at end of file diff --git a/verify_signature.sh b/verify_signature.sh new file mode 100755 index 0000000..36ac0bf --- /dev/null +++ b/verify_signature.sh @@ -0,0 +1,40 @@ +#!/bin/bash + + +if [ -z "$1" ]; then + echo "Error: missing articate package as 1st input" + echo "Usage: " + echo " $0 ARTIFACT_PACKAGE TAG" + + exit 1 + +fi + +if [ ! -f "$1" ] ; then + echo "Error: artifcact $1 does not exists" + exit 1 + +fi + +artifcat_path=$1 +artifact=$(basename $artifcat_path) + +if [ -z "$2" ]; then + echo "Error: missing tag as 2nd input" + echo "Usage: " + echo " $0 $1 TAG" + + exit 1 + +fi + +TAG=$2 + + +echo "Checking Signature for version: ${TAG}" +cosign verify-blob \ + --certificate "https://github.com/vdbulcke/hc-vault-util/releases/download/${TAG}/${artifact}.pem" \ + --signature "https://github.com/vdbulcke/hc-vault-util/releases/download/${TAG}/${artifact}.sig" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-identity "https://github.com/vdbulcke/hc-vault-util/.github/workflows/release.yaml@refs/tags/${TAG}" \ + ${artifcat_path} \ No newline at end of file