caddy
caddy copied to clipboard
caddyserver
ci: sign artifacts using cosign
I followed this guide by @shibumi: https://shibumi.dev/posts/keyless-signatures-with-github-actions/. To test and validate it works, I may need to create a release in a dummy repo. Thoughts?
@shibumi, can you please take a look? 🙂
Matt will need to upload a key somewhere I guess? Does it use the same GPG keys we've been using to sign the tags and CloudSmith?
Matt will need to upload a key somewhere I guess? Does it use the same GPG keys we've been using to sign the tags and CloudSmith?
Nope, it uses ephemeral keys. See this: https://shibumi.dev/posts/first-look-into-cosign/
Let's give this a try for the beta releases of v2.6.
As discussed in Slack, we're not committing to always sign releases this way, nor are we saying that only releases signed this way are trustworthy. But I'm curious to try it out. I'm a little nervous about so many moving pieces, external services, etc, that have to work just right and be up and working perfectly for us to do releases. But if it's zero-effort other than this PR, I'm down for trying it!
@mholt little note: GitHub plans to support the sigstore stack in the future. It's the correct bet on the future:
- https://devclass.com/2022/08/09/github-proposes-sigstore-adoption-to-link-npm-packages-to-their-source-faces-dev-pushback/
- https://www.wired.com/story/github-code-signing-sigstore/
@mohammed90 sorry, I totally missed this PR :/ I was busy in June with a new job and everything. It looks good for me, but this also needs documentation for the end user. It's not clear how to validate these signatures
Docs would be welcome indeed. I was expecting a PGP/SSH/minisign signature. Took a while to get here and realize this is new with Caddy, along with the format. I tried cosign verify-blob and COSIGN_EXPERIMENTAL=1 cosign verify-blob, and failed validating with both. (cosign is 1.11.1.)
Thanks for the signature improvements! With stable 2.6.0, results are better, and a little weird, though it's well possible this isn't the way a release blob is supposed to be verified (= some guidance would most definitely help):
$ cosign verify-blob --signature caddy_2.6.0_checksums.txt.sig --cert caddy_2.6.0_checksums.txt.pem caddy_2.6.0_checksums.txt
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
Error: verifying blob [caddy_2.6.0_checksums.txt]: certificate expired before signatures were entered in log: 2022-09-20T17:27:06Z is before 2022-09-21T18:17:40Z
main.go:62: error during command execution: verifying blob [caddy_2.6.0_checksums.txt]: certificate expired before signatures were entered in log: 2022-09-20T17:27:06Z is before 2022-09-21T18:17:40Z
Thanks for the signature improvements! With stable 2.6.0, results are better, and a little weird, though it's well possible this isn't the way a release blob is supposed to be verified (= some guidance would most definitely help):
$ cosign verify-blob --signature caddy_2.6.0_checksums.txt.sig --cert caddy_2.6.0_checksums.txt.pem caddy_2.6.0_checksums.txt tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys tuf: warning using deprecated ecdsa hex-encoded keys Error: verifying blob [caddy_2.6.0_checksums.txt]: certificate expired before signatures were entered in log: 2022-09-20T17:27:06Z is before 2022-09-21T18:17:40Z main.go:62: error during command execution: verifying blob [caddy_2.6.0_checksums.txt]: certificate expired before signatures were entered in log: 2022-09-20T17:27:06Z is before 2022-09-21T18:17:40Z
The correct command is:
COSIGN_EXPERIMENTAL=1 cosign verify-blob --certificate ./caddy_2.6.0_checksums.txt.pem --signature ./caddy_2.6.0_checksums.txt.sig ./caddy_2.6.0_checksums.txt
The instructions will be added to the website once this PR is reviewed and merged: https://github.com/caddyserver/website/pull/268
@mohammed90 I can confirm your command works as expected. The pending docs are looking good, and very much welcome. Thank you!