in-toto-golang icon indicating copy to clipboard operation
in-toto-golang copied to clipboard

Published 20 hours ago verified publisher icon in-toto

add signed releases

Open shibumi opened this issue 2 years ago • 7 comments

Fixes issue: None

Description: This PR adds signed releases via goreleaser and cosign. There are a few missing pieces we have to discuss:

  1. Do we want to push the cosign private key into the repository (it's encrypted, but we could embedded it via github secrets)
  2. Who should generate the private/public key pair

Furthermore, this PR adds a new in-toto version subcommand. Goreleaser does not support SOURCE_DATE_EPOCH for reproducible builds yet, but a PR for this problem is already open: https://github.com/goreleaser/goreleaser/pull/2510

Please verify and check that the pull request fulfills the following requirements:

  • [X] Tests have been added for the bug fix or new feature
  • [X] Docs have been added for the bug fix or new feature

shibumi avatar Sep 26 '21 18:09 shibumi

I have made the following changes:

  • We now load the cosign private key via github secrets. Shout-out to @dirien for the workflow :)
  • We use the commitDate instead of Date, thus making the build reproducible.

What needs to be done for getting this merged:

  1. I need to remove the cosign.pub key from this PR
  2. We need to somehow upload a new cosign.pub key and put it in this repository. @SantiagoTorres do you want to be our 'master' key holder or can we even use TUF for this with you as root key holder (has TUF cosign support?!).
  3. In the last step the key holder needs to update the github repository secrets. We need the following two variables:
  • COSIGN_PWD: The password of the cosign private key
  • COSIGN_KEY: The private key for cosign

shibumi avatar Sep 27 '21 21:09 shibumi

I think is ready to merge.. I have removed my test cosign public key. The new master key holder has to push the public key to the repository for enabling the releases via cosign

shibumi avatar Sep 27 '21 22:09 shibumi

Hello everybody, I have updated my PR for in-toto-golang releases. https://github.com/in-toto/in-toto-golang/pull/128 Instead of using static keys in the Github secret store we are now directly using the Github Actions OIDC issuer. The OIDC issuer provides a workload identity to the github Actions pipeline and signs the binaries with ephemeral public keys. cosign 1.3.0 does not support to store the public keys on disk, hence we have only a signature. The signature alone is not enough to validate the the binaries. The next cosign release will get functionality to automatically retrieve the public key from the rekor transparency log. However, sometimes it is nicer to have the public certificate offline, as well. Hence, I wrote a PR for cosign that implements the missing functionality for storing the public key on disk: https://github.com/sigstore/cosign/pull/1016

Note: The OIDC-Issuer feature is still considered experimental + the public rekor instance may change.

shibumi avatar Nov 09 '21 01:11 shibumi

friendly ping @shibumi, you might want to take a look at 👇 https://github.com/goreleaser/goreleaser/issues/2659#issuecomment-965047628

developer-guy avatar Nov 10 '21 12:11 developer-guy

@developer-guy I have force-pushed to this branch. Have a look.

shibumi avatar Nov 10 '21 18:11 shibumi

@developer-guy I have force-pushed to this branch. Have a look.

LGTM @shibumi, thank you.

developer-guy avatar Nov 10 '21 18:11 developer-guy

I have added SBOM generation and updated the goreleaser version

shibumi avatar Jan 02 '22 19:01 shibumi