From a1422794699d2a1560f0bce1b4f153358328d713 Mon Sep 17 00:00:00 2001 From: Justin Marquis <34fathombelow@protonmail.com> Date: Sun, 16 Oct 2022 01:05:10 -0700 Subject: [PATCH 1/3] chore: sign container images and checksum assets Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> --- .github/workflows/release.yaml | 58 +++++++++++++++++++++++++++++++++- Makefile | 3 +- 2 files changed, 59 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index cdfeb0846a38..c19ea687c21d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -56,11 +56,18 @@ jobs: username: ${{ secrets.QUAYIO_USERNAME }} password: ${{ secrets.QUAYIO_PASSWORD }} + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.13.0' + - name: Docker Buildx env: DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} PLATFORM: ${{ matrix.platform }} TARGET: ${{ matrix.target }} + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} run: | tag=$(basename $GITHUB_REF) if [ $tag = "master" ]; then @@ -86,6 +93,10 @@ jobs: --target $TARGET \ --tag quay.io/$image_name . + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name + # Displays the public key to share. + cosign public-key --key env://COSIGN_PRIVATE_KEY + build-linux-arm64: name: Build & push linux/arm64 if: github.repository == 'argoproj/argo-workflows' @@ -127,11 +138,18 @@ jobs: username: ${{ secrets.QUAYIO_USERNAME }} password: ${{ secrets.QUAYIO_PASSWORD }} + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.13.0' + - name: Docker Buildx env: DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} PLATFORM: ${{ matrix.platform }} TARGET: ${{ matrix.target }} + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} run: | tag=$(basename $GITHUB_REF) if [ $tag = "master" ]; then @@ -157,6 +175,10 @@ jobs: --target $TARGET \ --tag quay.io/$image_name . + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name + # Displays the public key to share. + cosign public-key --key env://COSIGN_PRIVATE_KEY + build-windows: name: Build & push windows if: github.repository == 'argoproj/argo-workflows' @@ -176,9 +198,16 @@ jobs: username: ${{ secrets.QUAYIO_USERNAME }} password: ${{ secrets.QUAYIO_PASSWORD }} + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.13.0' + - name: Build & Push Windows Docker Images env: DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} run: | docker_org=$DOCKERIO_ORG @@ -195,6 +224,10 @@ jobs: docker tag $image_name quay.io/$image_name docker push quay.io/$image_name + + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name + # Displays the public key to share. + cosign public-key --key env://COSIGN_PRIVATE_KEY done push-images: @@ -217,9 +250,16 @@ jobs: username: ${{ secrets.QUAYIO_USERNAME }} password: ${{ secrets.QUAYIO_PASSWORD }} + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.13.0' + - name: Push Multiarch Image env: DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} run: | echo $(jq -c '. + { "experimental": "enabled" }' ${DOCKER_CONFIG}/config.json) > ${DOCKER_CONFIG}/config.json @@ -244,6 +284,9 @@ jobs: docker manifest push $image_name docker manifest push quay.io/$image_name + + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name + done test-images-linux-amd64: @@ -327,6 +370,8 @@ jobs: needs: [ push-images, test-images-linux-amd64, test-images-windows ] env: NODE_OPTIONS: --max-old-space-size=4096 + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 @@ -347,6 +392,10 @@ jobs: with: path: /home/runner/go/pkg/mod key: GOMODCACHE-v2-${{ hashFiles('**/go.mod') }} + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.13.0' # https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions - run: | if [ ${GITHUB_REF##*/} = master ]; then @@ -376,6 +425,12 @@ jobs: - name: Print version (please check it is not dirty) run: dist/argo-linux-amd64 version - run: make checksums + - name: Sign checksums and create public key for release assets + run: | + cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-workflows-checksums.txt > ./dist/argocd-workflows-checksums.sig + # Retrieves the public key to release as an asset + cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-rollouts-cosign.pub + # https://github.com/softprops/action-gh-release # This will publish the release and upload assets. # If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming @@ -388,8 +443,9 @@ jobs: body_path: release-notes files: | dist/argo-*.gz - dist/argo-*.gz.sha256 + dist/argo-workflows-checksums.txt dist/manifests/*.yaml + dist/argo-rollouts-cosign.pub dist/sbom.tar.gz env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/Makefile b/Makefile index 1a269afbc773..acf5defaa090 100644 --- a/Makefile +++ b/Makefile @@ -677,4 +677,5 @@ release-notes: /dev/null .PHONY: checksums checksums: - for f in ./dist/argo-*.gz; do openssl dgst -sha256 "$$f" | awk ' { print $$2 }' > "$$f".sha256 ; done + sha256sum ./dist/argo-*.gz | awk -F './dist/' '{print $$1 $$2}' > ./dist/argo-workflows-cli-checksums.txt + From 305c2595f59ae81bea5e4df83257a028558a90ed Mon Sep 17 00:00:00 2001 From: Justin Marquis <34fathombelow@protonmail.com> Date: Sun, 16 Oct 2022 01:32:21 -0700 Subject: [PATCH 2/3] fixed typo Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> --- .github/workflows/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c19ea687c21d..63103e7ab2f9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -429,7 +429,7 @@ jobs: run: | cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-workflows-checksums.txt > ./dist/argocd-workflows-checksums.sig # Retrieves the public key to release as an asset - cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-rollouts-cosign.pub + cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-workflows-cosign.pub # https://github.com/softprops/action-gh-release # This will publish the release and upload assets. @@ -445,7 +445,7 @@ jobs: dist/argo-*.gz dist/argo-workflows-checksums.txt dist/manifests/*.yaml - dist/argo-rollouts-cosign.pub + dist/argo-workflows-cosign.pub dist/sbom.tar.gz env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 760d0fcf59ca306653816b29e41b6e8b047240af Mon Sep 17 00:00:00 2001 From: Justin Marquis <34fathombelow@protonmail.com> Date: Tue, 18 Oct 2022 12:41:50 -0700 Subject: [PATCH 3/3] fixed typo and only sign manifest Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> --- .github/workflows/release.yaml | 39 ++++------------------------------ 1 file changed, 4 insertions(+), 35 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 63103e7ab2f9..86125b255545 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -56,18 +56,11 @@ jobs: username: ${{ secrets.QUAYIO_USERNAME }} password: ${{ secrets.QUAYIO_PASSWORD }} - - name: Install cosign - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v1.13.0' - - name: Docker Buildx env: DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} PLATFORM: ${{ matrix.platform }} TARGET: ${{ matrix.target }} - COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} - COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} run: | tag=$(basename $GITHUB_REF) if [ $tag = "master" ]; then @@ -93,10 +86,6 @@ jobs: --target $TARGET \ --tag quay.io/$image_name . - cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name - # Displays the public key to share. - cosign public-key --key env://COSIGN_PRIVATE_KEY - build-linux-arm64: name: Build & push linux/arm64 if: github.repository == 'argoproj/argo-workflows' @@ -138,18 +127,11 @@ jobs: username: ${{ secrets.QUAYIO_USERNAME }} password: ${{ secrets.QUAYIO_PASSWORD }} - - name: Install cosign - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v1.13.0' - - name: Docker Buildx env: DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} PLATFORM: ${{ matrix.platform }} TARGET: ${{ matrix.target }} - COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} - COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} run: | tag=$(basename $GITHUB_REF) if [ $tag = "master" ]; then @@ -175,10 +157,6 @@ jobs: --target $TARGET \ --tag quay.io/$image_name . - cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name - # Displays the public key to share. - cosign public-key --key env://COSIGN_PRIVATE_KEY - build-windows: name: Build & push windows if: github.repository == 'argoproj/argo-workflows' @@ -197,17 +175,10 @@ jobs: login-server: quay.io username: ${{ secrets.QUAYIO_USERNAME }} password: ${{ secrets.QUAYIO_PASSWORD }} - - - name: Install cosign - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v1.13.0' - + - name: Build & Push Windows Docker Images env: DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }} - COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} - COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} run: | docker_org=$DOCKERIO_ORG @@ -225,9 +196,6 @@ jobs: docker tag $image_name quay.io/$image_name docker push quay.io/$image_name - cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/$image_name - # Displays the public key to share. - cosign public-key --key env://COSIGN_PRIVATE_KEY done push-images: @@ -427,7 +395,7 @@ jobs: - run: make checksums - name: Sign checksums and create public key for release assets run: | - cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-workflows-checksums.txt > ./dist/argocd-workflows-checksums.sig + cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argo-workflows-cli-checksums.txt > ./dist/argo-workflows-cli-checksums.sig # Retrieves the public key to release as an asset cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-workflows-cosign.pub @@ -443,7 +411,8 @@ jobs: body_path: release-notes files: | dist/argo-*.gz - dist/argo-workflows-checksums.txt + dist/argo-workflows-cli-checksums.txt + dist/argo-workflows-cli-checksums.sig dist/manifests/*.yaml dist/argo-workflows-cosign.pub dist/sbom.tar.gz