chore: use cosign for binaries and docker #262

apigee · Aug 17, 2023 · 9cfaf43 · 9cfaf43
1 parent 9c75e3c
commit 9cfaf43
Show file tree

Hide file tree

Showing 9 changed files with 70 additions and 216 deletions.
diff --git a/.gcloudignore b/.gcloudignore
@@ -16,7 +16,5 @@ docs/
 test/
 
 README.md
-third-party-licenses.md
-LICENSE.txt
 CONTRIBUTING.md
 downloadLatest.sh
diff --git a/.github/workflows/docker-cloudbuild.yml b/.github/workflows/docker-cloudbuild.yml
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: Docker
+name: Cloud Builder Docker
 
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
@@ -22,15 +22,13 @@ name: Docker
 on:
   push:
     # Publish semver tags as releases.
-    tags:        
-      - v1.[0-9]+
-      - v1.[0-9]+.[0-9]+-beta
+    tags:
+      - v[0-1].[0-9]+
+      - v[0-1].[0-9]+.[0-9]+-beta
 
 env:
-  # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
-  IMAGE_NAME: ${{ github.repository }}
+  IMAGE_NAME: apigee/apigeecli
 
 
 jobs:
@@ -52,9 +50,8 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: "v1.13.1"
+        uses: sigstore/[email protected]
+
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
@@ -82,22 +79,20 @@ jobs:
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
+        uses: docker/build-push-action@v4.0.0
         with:
           context: .
+          file: Dockerfile.builder
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
+      # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+      - name: Sign image with a key
+        run: |
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${TAGS}@${DIGEST}"
         env:
-          COSIGN_EXPERIMENTAL: "true"
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.docker_meta.outputs.tags }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
diff --git a/.github/workflows/gorelease-action.yml b/.github/workflows/gorelease-action.yml
@@ -17,7 +17,7 @@ name: apigeecli-release
 on:
   push:
     # Publish semver tags as releases.
-    tags:        
+    tags:
       - v1.[0-9]+
       - v1.[0-9]+.[0-9]+-beta
 
@@ -32,34 +32,26 @@ jobs:
           #go-version: '>=1.18.0'
           go-version-file: './go.mod'
           check-latest: true
-          
+
       - name: Reviewdog Lint
         uses: reviewdog/action-golangci-lint@v1
         with:
-          reporter: github-check          
+          reporter: github-check
 
-      - name: 'Install upx'
-        run: |
-          sudo apt-get update -y
-          sudo apt-get install -y upx
-          export GPG_TTY=$(tty)
+      - name: Write private key to disk
+        run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > /tmp/cosign.key
 
-      - name: Import GPG key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v5
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.PASSPHRASE }}
+      - uses: sigstore/cosign-installer@main
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           GITHUB_TOKEN: ${{ secrets.TOKEN }}
-          GPG_FINGERPRINT: ${{ secrets.FINGERPRINT }}
 
       - name: Upload assets
         uses: actions/upload-artifact@v3

diff --git a/Dockerfile b/Dockerfile
@@ -31,8 +31,11 @@ RUN go mod download
 RUN date +%FT%H:%I:%M+%Z > /tmp/date
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -buildvcs=true -a -gcflags='all="-l"' -ldflags='-s -w -extldflags "-static" -X main.version='${TAG}' -X main.commit='${COMMIT}' -X main.date='$(cat /tmp/date) -o /go/bin/apigeecli /go/src/apigeecli/main.go
 
-FROM gcr.io/distroless/static-debian11
-COPY --from=builder /go/bin/apigeecli /
+FROM ghcr.io/jqlang/jq:latest as jq
+
+# use debug because it includes busybox
+FROM gcr.io/distroless/static-debian11:debug
+COPY --from=builder /go/bin/apigeecli /usr/local/bin/apigeecli
 COPY LICENSE.txt /
 COPY third-party-licenses.txt /
-CMD ["/apigeecli"]
+COPY --from=jq /jq /usr/local/bin/jq
diff --git a/Dockerfile.builder b/Dockerfile.builder
diff --git a/README.md b/README.md
@@ -14,36 +14,6 @@ This is a tool to interact with [Apigee APIs](https://cloud.google.com/apigee/do
 curl -L https://raw.githubusercontent.com/apigee/apigeecli/main/downloadLatest.sh | sh -
 ```
 
-NOTE: The signature is not verified and the original zip is not preserved.
-
-<details>
-  <summary>Signature Verification</summary>
-
-### Signature Verification
-To test the signature of the binary, import the gpg public key:
-
-```sh
-gpg --recv-keys --keyserver keyserver.ubuntu.com A714872F32F34390
-gpg: key A714872F32F34390: public key "apigeecli (apigeecli) <[email protected]>" imported
-gpg: Total number processed: 1
-gpg:               imported: 1
-```
-
-Use curl or wget to download the zip and sig files. Verify using:
-
-```sh
-gpg --verify apigeecli_<signature-file>.sig apigeecli_<original-file>.zip
-gpg: Signature made Thu 05 May 2022 05:58:11 PM UTC
-gpg:                using RSA key 72D11E3A3B1E9FE22110EC45A714872F32F34390
-gpg:                issuer "[email protected]"
-gpg: Good signature from "apigeecli (apigeecli) <[email protected]>" [unknown]
-gpg: WARNING: This key is not certified with a trusted signature!
-gpg:          There is no indication that the signature belongs to the owner.
-Primary key fingerprint: 72D1 1E3A 3B1E 9FE2 2110  EC45 A714 872F 32F3 4390
-```
-
-</details>
-
 ## Getting Started
 
 ### User Tokens
@@ -339,6 +309,38 @@ x-google-jwt-locations:
 ```
 
 query parameters are ignored. By default, if no location is specified, the JWT location is the `Authorization` header and value_prefix is `Bearer <token>`
+
+## How do I verify the binary?
+
+All artifacts are signed by [cosign](https://github.com/sigstore/cosign). We recommend verifying any artifact before using them.
+
+You can use the following public key to verify any `apigeecli` binary with:
+
+```sh
+cat cosign.pub
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgjcKEyPi18vd6Zk5/ggAkH6CLSy3
+C8gzi5q3xsycjI7if5FABk7bfciR4+g32H8xTl4mVHhHuz6I6FBG24/nuQ==
+-----END PUBLIC KEY-----
+
+cosign verify-blob --key=cosign.pub --signature apigeecli_<platform>_<arch>.zip.sig apigeecli_<platform>_<arch>.zip
+```
+
+Where `platform` can be one of `Darwin`, `Linux` or `Windows` and arch (architecture) can be one of `arm64` or `x86_64`
+
+## How do I verify the apigeecli containers?
+
+All images are signed by [cosign](https://github.com/sigstore/cosign). We recommend verifying any container before using them.
+
+```sh
+cat cosign.pub
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgjcKEyPi18vd6Zk5/ggAkH6CLSy3
+C8gzi5q3xsycjI7if5FABk7bfciR4+g32H8xTl4mVHhHuz6I6FBG24/nuQ==
+-----END PUBLIC KEY-----
+
+cosign verify --key=cosign.pub ghcr.io/apigee/apigeecli:latest
+```
 ___
 
 ## Support

diff --git a/cloud-builder.yaml b/cloud-builder.yaml
@@ -11,15 +11,15 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# gcloud builds submit --config=cloud-builder.yaml --project=project-name 
+# gcloud builds submit --config=cloud-builder.yaml --project=project-name
 steps:
 # Build the container image
 - name: 'gcr.io/cloud-builders/docker'
-  args: ['build', '-t', 'gcr.io/$PROJECT_ID/apigeecli-builder', '-f', 'Dockerfile.builder', '.']
+  args: ['build', '-t', 'gcr.io/$PROJECT_ID/apigeecli', '-f', 'Dockerfile', '.']
 # Push the container image to Container Registry
 - name: 'gcr.io/cloud-builders/docker'
   args: ['push', 'gcr.io/$PROJECT_ID/apigeecli-builder']
 options:
   env: ["DEBUG=true"]
   machineType: N1_HIGHCPU_8
-  logging: CLOUD_LOGGING_ONLY 
+  logging: CLOUD_LOGGING_ONLY
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgjcKEyPi18vd6Zk5/ggAkH6CLSy3
+C8gzi5q3xsycjI7if5FABk7bfciR4+g32H8xTl4mVHhHuz6I6FBG24/nuQ==
+-----END PUBLIC KEY-----