From d25b270db07ff64cca407279e66f1582ed1bce80 Mon Sep 17 00:00:00 2001 From: adwait-godbole Date: Mon, 18 Nov 2024 21:16:24 +0530 Subject: [PATCH] generate SBOM for binaries and container images and use cosign for signing images Signed-off-by: adwait-godbole --- .github/workflows/build.yml | 66 ++++++++++++++++++++++--- .github/workflows/delivery-docker.yml | 70 +++++++++++++++++++++++---- 2 files changed, 120 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 31de3e589..ce10e84d2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -226,47 +226,99 @@ jobs: echo "PACK_MILESTONE=${milestone}" >> $GITHUB_ENV - name: Download artifacts uses: actions/download-artifact@v4 - - name: Package artifacts - macos + - name: Install Syft + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + - name: Package artifacts and Generate SBOM JSON file - macos run: | chmod +x pack-macos/pack filename=pack-v${{ env.PACK_VERSION }}-macos.tgz tar -C pack-macos -vzcf $filename pack shasum -a 256 $filename > $filename.sha256 - - name: Package artifacts - linux-arm64 + + temp_dir=$(mktemp -d) + trap 'rm -rf "$temp_dir"' EXIT + + tar -xzf $filename -C $temp_dir + syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json" + shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256" + - name: Package artifacts and Generate SBOM JSON file - linux-arm64 run: | chmod +x pack-linux-arm64/pack filename=pack-v${{ env.PACK_VERSION }}-linux-arm64.tgz tar -C pack-linux-arm64 -vzcf $filename pack shasum -a 256 $filename > $filename.sha256 - - name: Package artifacts - linux-s390x + + temp_dir=$(mktemp -d) + trap 'rm -rf "$temp_dir"' EXIT + + tar -xzf $filename -C $temp_dir + syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json" + shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256" + - name: Package artifacts and Generate SBOM JSON file - linux-s390x run: | chmod +x pack-linux-s390x/pack filename=pack-v${{ env.PACK_VERSION }}-linux-s390x.tgz tar -C pack-linux-s390x -vzcf $filename pack shasum -a 256 $filename > $filename.sha256 - - name: Package artifacts - linux-ppc64le + + temp_dir=$(mktemp -d) + trap 'rm -rf "$temp_dir"' EXIT + + tar -xzf $filename -C $temp_dir + syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json" + shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256" + - name: Package artifacts and Generate SBOM JSON file - linux-ppc64le run: | chmod +x pack-linux-ppc64le/pack filename=pack-v${{ env.PACK_VERSION }}-linux-ppc64le.tgz tar -C pack-linux-ppc64le -vzcf $filename pack shasum -a 256 $filename > $filename.sha256 - - name: Package artifacts - macos-arm64 + + temp_dir=$(mktemp -d) + trap 'rm -rf "$temp_dir"' EXIT + + tar -xzf $filename -C $temp_dir + syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json" + shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256" + - name: Package artifacts and Generate SBOM JSON file - macos-arm64 run: | chmod +x pack-macos-arm64/pack filename=pack-v${{ env.PACK_VERSION }}-macos-arm64.tgz tar -C pack-macos-arm64 -vzcf $filename pack shasum -a 256 $filename > $filename.sha256 - - name: Package artifacts - linux + + temp_dir=$(mktemp -d) + trap 'rm -rf "$temp_dir"' EXIT + + tar -xzf $filename -C $temp_dir + syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json" + shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256" + - name: Package artifacts and Generate SBOM JSON file - linux run: | chmod +x pack-linux/pack filename=pack-v${{ env.PACK_VERSION }}-linux.tgz tar -C pack-linux -vzcf $filename pack shasum -a 256 $filename > $filename.sha256 - - name: Package artifacts - windows + + temp_dir=$(mktemp -d) + trap 'rm -rf "$temp_dir"' EXIT + + tar -xzf $filename -C $temp_dir + syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json" + shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256" + - name: Package artifacts and Generate SBOM JSON file - windows run: | filename=pack-v${{ env.PACK_VERSION }}-windows.zip zip -j $filename pack-windows/pack.exe shasum -a 256 $filename > $filename.sha256 + + temp_dir=$(mktemp -d) + trap 'rm -rf "$temp_dir"' EXIT + + unzip $filename -d $temp_dir + syft "$temp_dir" -o cyclonedx-json > "${filename}-sbom.cdx.json" + shasum -a 256 "${filename}-sbom.cdx.json" > "${filename}-sbom.cdx.json.sha256" - name: Extract lifecycle version id: lifecycle_version run: | diff --git a/.github/workflows/delivery-docker.yml b/.github/workflows/delivery-docker.yml index a1395b909..da9522c7d 100644 --- a/.github/workflows/delivery-docker.yml +++ b/.github/workflows/delivery-docker.yml @@ -19,6 +19,7 @@ env: REGISTRY_NAME: 'docker.io' USER_NAME: 'buildpacksio' IMG_NAME: 'pack' + ARCHITECTURES: ["arm64", "amd64", "s390x", "ppc64le"] jobs: deliver-docker: @@ -33,6 +34,8 @@ jobs: base_image: ubuntu:jammy suffix: -base runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Determine version uses: actions/github-script@v7 @@ -52,8 +55,10 @@ jobs: uses: actions/checkout@v4 with: ref: v${{ steps.version.outputs.result }} - - name: Determine App Name - run: 'echo "IMG_NAME=${{ env.REGISTRY_NAME }}/${{ env.USER_NAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV' + - name: Setup Docker Build Environment + run: | + echo "IMG_NAME=${{ env.REGISTRY_NAME }}/${{ env.USER_NAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV + echo "${{ env.ARCHITECTURES }}" | jq -r '.[]' > architectures.txt - name: Login to Dockerhub uses: docker/login-action@v3 with: @@ -71,11 +76,58 @@ jobs: --build-arg base_image=${{ matrix.base_image }} \ --provenance=false \ --push - - name: Tag Image as Base - if: ${{ (github.event.release != '' || github.event.inputs.tag_latest) && matrix.config == 'base' }} - run: | - crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:base - - name: Tag Image as Latest - if: ${{ (github.event.release != '' || github.event.inputs.tag_latest) && matrix.config != 'base' }} + echo "IMG_DIGEST=$(crane digest ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }})" >> $GITHUB_ENV + - name: Install cosign + uses: sigstore/cosign-installer@v3 + - name: Download and Attach SBOMs + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:latest + while IFS= read -r arch; do + pattern=$([ "$arch" = "amd64" ] && echo "pack-v${{ steps.version.outputs.result }}-linux-sbom.cdx.json" || echo "pack-v${{ steps.version.outputs.result }}-linux-${arch}-sbom.cdx.json") + gh release download --pattern "${pattern}" ${{ github.event.release.tag_name }} & + done < architectures.txt + wait + + sign_and_verify() { + local tag=$1 + local alias=${2:-} + + while IFS= read -r arch; do + sbom_json_file=$([ "$arch" = "amd64" ] && echo "pack-v${{ steps.version.outputs.result }}-linux-sbom.cdx.json" || echo "pack-v${{ steps.version.outputs.result }}-linux-${arch}-sbom.cdx.json") + + cosign attach sbom --sbom "$sbom_json_file" \ + --platform "linux/${arch}" \ + "$tag@${IMG_DIGEST}" + done < architectures.txt + + cosign sign -r -y \ + -a version=${{ steps.version.outputs.result }} \ + -a config=${{ matrix.config }} \ + ${alias:+-a alias=$alias} \ + --attachment sbom \ + "$tag@${IMG_DIGEST}" + + cosign verify \ + --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/pack/.github/workflows/delivery-docker.yml" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + -a version=${{ steps.version.outputs.result }} \ + -a config=${{ matrix.config }} \ + ${alias:+-a alias=$alias} \ + --attachment sbom \ + "$tag@${IMG_DIGEST}" + } + + sign_and_verify "${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }}" + + # Conditionally tag and sign as base + if [[ ("${{ github.event.release }}" != "" || "${{ github.event.inputs.tag_latest }}" == "true") && "${{ matrix.config }}" == "base" ]]; then + crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:base + sign_and_verify "${{ env.IMG_NAME }}:base" "base" + fi + + # Conditionally tag and sign as latest + if [[ ("${{ github.event.release }}" != "" || "${{ github.event.inputs.tag_latest }}" == "true") && "${{ matrix.config }}" != "base" ]]; then + crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:latest + sign_and_verify "${{ env.IMG_NAME }}:latest" "latest" + fi