Skip to content

add signed releases#128

Draft
shibumi wants to merge 1 commit intoin-toto:masterfrom
shibumi:shibumi/add-go-releaser
Draft

add signed releases#128
shibumi wants to merge 1 commit intoin-toto:masterfrom
shibumi:shibumi/add-go-releaser

Conversation

@shibumi
Copy link
Copy Markdown
Collaborator

@shibumi shibumi commented Sep 26, 2021

Fixes issue:
None

Description:
This PR adds signed releases via goreleaser and cosign. There are a few missing pieces we have to discuss:

  1. Do we want to push the cosign private key into the repository (it's encrypted, but we could embedded it via github secrets)
  2. Who should generate the private/public key pair

Furthermore, this PR adds a new in-toto version subcommand. Goreleaser does not support SOURCE_DATE_EPOCH for reproducible builds yet, but a PR for this problem is already open: goreleaser/goreleaser#2510

Please verify and check that the pull request fulfills the following
requirements:

  • Tests have been added for the bug fix or new feature
  • Docs have been added for the bug fix or new feature

@shibumi shibumi force-pushed the shibumi/add-go-releaser branch from f6c2b19 to a265a62 Compare September 26, 2021 19:07
@shibumi shibumi marked this pull request as draft September 26, 2021 19:18
SantiagoTorres
SantiagoTorres reviewed Sep 27, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@SantiagoTorres SantiagoTorres left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good!

Comment thread .github/cosign.key Outdated
Comment thread cmd/in-toto/version.go
// but what if the json package has a bug? :/
fmt.Println("commit : ", commit)
fmt.Println("date : ", date)
fmt.Println("version: ", tag)
Copy link
Copy Markdown
Member

@SantiagoTorres SantiagoTorres Sep 27, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Huh this is an interesting way to set the vars. It does seem to be a simple way to do it though...

Copy link
Copy Markdown
Collaborator Author

@shibumi shibumi Sep 27, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about generating a JSON out of this, like kubectl does... would this format be better?

Comment thread .goreleaser.yaml Outdated
@shibumi shibumi force-pushed the shibumi/add-go-releaser branch 2 times, most recently from 5ae173f to 89edb03 Compare September 27, 2021 21:29
@shibumi
Copy link
Copy Markdown
Collaborator Author

shibumi commented Sep 27, 2021

I have made the following changes:

  • We now load the cosign private key via github secrets. Shout-out to @dirien for the workflow :)
  • We use the commitDate instead of Date, thus making the build reproducible.

What needs to be done for getting this merged:

  1. I need to remove the cosign.pub key from this PR
  2. We need to somehow upload a new cosign.pub key and put it in this repository. @SantiagoTorres do you want to be our 'master' key holder or can we even use TUF for this with you as root key holder (has TUF cosign support?!).
  3. In the last step the key holder needs to update the github repository secrets. We need the following two variables:
  • COSIGN_PWD: The password of the cosign private key
  • COSIGN_KEY: The private key for cosign

@shibumi shibumi force-pushed the shibumi/add-go-releaser branch from 89edb03 to a26f653 Compare September 27, 2021 22:20
@shibumi shibumi changed the title WIP: add signed releases add signed releases Sep 27, 2021
@shibumi shibumi marked this pull request as ready for review September 27, 2021 22:21
@shibumi
Copy link
Copy Markdown
Collaborator Author

shibumi commented Sep 27, 2021

I think is ready to merge.. I have removed my test cosign public key. The new master key holder has to push the public key to the repository for enabling the releases via cosign

@adityasaky adityasaky marked this pull request as draft October 1, 2021 18:36
@shibumi shibumi force-pushed the shibumi/add-go-releaser branch 10 times, most recently from cd4821b to 570339c Compare November 8, 2021 23:52
@shibumi
Copy link
Copy Markdown
Collaborator Author

shibumi commented Nov 9, 2021
edited
Loading

Hello everybody,
I have updated my PR for in-toto-golang releases. #128
Instead of using static keys in the Github secret store we are now directly using the Github Actions OIDC issuer. The OIDC issuer provides a workload identity to the github Actions pipeline and signs the binaries with ephemeral public keys. cosign 1.3.0 does not support to store the public keys on disk, hence we have only a signature. The signature alone is not enough to validate the the binaries. The next cosign release will get functionality to automatically retrieve the public key from the rekor transparency log. However, sometimes it is nicer to have the public certificate offline, as well. Hence, I wrote a PR for cosign that implements the missing functionality for storing the public key on disk: sigstore/cosign#1016

Note: The OIDC-Issuer feature is still considered experimental + the public rekor instance may change.

@shibumi shibumi mentioned this pull request Nov 9, 2021
Closed
developer-guy
developer-guy reviewed Nov 9, 2021
View reviewed changes
Comment thread .github/workflows/goreleaser.yml Outdated
developer-guy
developer-guy reviewed Nov 9, 2021
View reviewed changes
Comment thread .github/workflows/goreleaser.yml Outdated
@developer-guy developer-guy mentioned this pull request Nov 10, 2021
Closed
developer-guy
developer-guy reviewed Nov 10, 2021
View reviewed changes
Comment thread .goreleaser.yaml Outdated
@developer-guy
Copy link
Copy Markdown
Contributor

developer-guy commented Nov 10, 2021

friendly ping @shibumi, you might want to take a look at 👇
goreleaser/goreleaser#2659 (comment)

@shibumi shibumi force-pushed the shibumi/add-go-releaser branch from 570339c to 2ab7e8b Compare November 10, 2021 18:18
@shibumi
Copy link
Copy Markdown
Collaborator Author

shibumi commented Nov 10, 2021

@developer-guy I have force-pushed to this branch. Have a look.

@developer-guy
Copy link
Copy Markdown
Contributor

developer-guy commented Nov 10, 2021

@developer-guy I have force-pushed to this branch. Have a look.

LGTM @shibumi, thank you.

@shibumi shibumi force-pushed the shibumi/add-go-releaser branch from 2ab7e8b to 1868e3d Compare December 11, 2021 12:43
@shibumi shibumi force-pushed the shibumi/add-go-releaser branch from 1868e3d to 15751b3 Compare January 2, 2022 19:19
@shibumi
Copy link
Copy Markdown
Collaborator Author

shibumi commented Jan 2, 2022

I have added SBOM generation and updated the goreleaser version

@shibumi shibumi force-pushed the shibumi/add-go-releaser branch from 15751b3 to 4c2b3ef Compare January 2, 2022 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SantiagoTorres SantiagoTorres SantiagoTorres left review comments

@adityasaky adityasaky Awaiting requested review from adityasaky

+1 more reviewer

@developer-guy developer-guy developer-guy left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

hacktoberfest hacktoberfest-accepted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shibumi @developer-guy @SantiagoTorres @adityasaky