particle-os/particle-os-cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: Remove check for specific branches for signing (#114)

Browse source
This commit is contained in:
Gerald Pinder 2024-03-05 09:18:43 -05:00 committed by GitHub
parent e6f97d4258
commit de49037330
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 68 additions and 97 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.github/workflows/build-pr.yml vendored
View file

@ -94,9 +94,11 @@ jobs:
BB_BUILDKIT_CACHE_GHA: "true"
GH_TOKEN: ${{ github.token }}
GH_PR_EVENT_NUMBER: ${{ github.event.number }}
COSIGN_PRIVATE_KEY: ${{ secrets.TEST_SIGNING_SECRET }}
run: |
cd integration-tests/test-repo
echo -n "\n\n" | cosign generate-key-pair
export COSIGN_PRIVATE_KEY=$(cat cosign.key)
rm cosign.key
bluebuild build --push -vv
if [ -n "$GH_TOKEN" ] && [ -n "$COSIGN_PRIVATE_KEY" ]; then
bluebuild build --push -vv
else
bluebuild build -vv
fi

4
.github/workflows/build.yml vendored
View file

@ -108,9 +108,7 @@ jobs:
BB_BUILDKIT_CACHE_GHA: "true"
GH_TOKEN: ${{ github.token }}
GH_PR_EVENT_NUMBER: ${{ github.event.number }}
COSIGN_PRIVATE_KEY: ${{ secrets.TEST_SIGNING_SECRET }}
run: |
cd integration-tests/test-repo
echo -n "\n\n" | cosign generate-key-pair
export COSIGN_PRIVATE_KEY=$(cat cosign.key)
rm cosign.key
bluebuild build --push -vv

2
.gitignore vendored
View file

@ -2,6 +2,8 @@
.sccache/
.vscode/
cosign.key
# Local testing for bluebuild recipe files
/config/*
/Containerfile

4
cosign.pub Normal file
View file

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmljzkrD93JsnDGEaa5FCI0BPgZCa
vNO6CI08UCNWIT5osG+Tt8AWcVze1oXzCR1ifBUCy/znZ8JLLnUuL/2TGQ==
-----END PUBLIC KEY-----

6
integration-tests/Earthfile
View file

@ -72,6 +72,8 @@ secureblue-base:
RUN rm -fr /test
GIT CLONE https://github.com/secureblue/secureblue.git /test
DO +GEN_KEYPAIR
test-base:
ARG NIGHTLY=false
@ -82,6 +84,10 @@ test-base:
WORKDIR /test
COPY ./test-repo /test
DO +GEN_KEYPAIR
GEN_KEYPAIR:
FUNCTION
# Setup a cosign key pair
RUN echo -n "\n\n" | cosign generate-key-pair
ENV COSIGN_PRIVATE_KEY=$(cat cosign.key)

4
integration-tests/test-repo/cosign.pub Normal file
View file

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgJYNEq43hrKPwWgWah14yBOUjMCd
1eG8hOwIbOTSRq+siTLep8G2m5FSYit/ea+H+0IXZS0ruLdgzoPUI7Babw==
-----END PUBLIC KEY-----

135
src/commands/build.rs
View file

@ -471,21 +471,53 @@ fn sign_images(image_name: &str, tag: Option<&str>) -> Result<()> {
let image_name_tag = tag.map_or_else(|| image_name.to_owned(), |t| format!("{image_name}:{t}"));
match (
// GitLab specific vars
env::var(CI_DEFAULT_BRANCH),
env::var(CI_COMMIT_REF_NAME),
env::var(CI_PROJECT_URL),
env::var(CI_SERVER_PROTOCOL),
env::var(CI_SERVER_HOST),
env::var(SIGSTORE_ID_TOKEN),
// GitHub specific vars
env::var(GITHUB_TOKEN),
env::var(GITHUB_EVENT_NAME),
env::var(GITHUB_REF_NAME),
env::var(GITHUB_WORKFLOW_REF),
// Cosign public/private key pair
env::var(COSIGN_PRIVATE_KEY),
) {
// Cosign public/private key pair
(_, _, _, _, _, _, _, Ok(cosign_private_key))
if !cosign_private_key.is_empty() && Path::new(COSIGN_PATH).exists() =>
{
info!("Signing image: {image_digest}");
trace!("cosign sign --key=env://COSIGN_PRIVATE_KEY {image_digest}");
if Command::new("cosign")
.arg("sign")
.arg("--key=env://COSIGN_PRIVATE_KEY")
.arg(&image_digest)
.status()?
.success()
{
info!("Successfully signed image!");
} else {
bail!("Failed to sign image: {image_digest}");
}
trace!("cosign verify --key {COSIGN_PATH} {image_name_tag}");
if !Command::new("cosign")
.arg("verify")
.arg(format!("--key={COSIGN_PATH}"))
.arg(&image_name_tag)
.status()?
.success()
{
bail!("Failed to verify image!");
}
}
// Gitlab keyless
(
Ok(ci_default_branch),
Ok(ci_commit_ref),
Ok(ci_project_url),
Ok(ci_server_protocol),
Ok(ci_server_host),
@ -493,12 +525,8 @@ fn sign_images(image_name: &str, tag: Option<&str>) -> Result<()> {
_,
_,
_,
_,
_,
) if ci_default_branch == ci_commit_ref => {
trace!("CI_PROJECT_URL={ci_project_url}, CI_DEFAULT_BRANCH={ci_default_branch}, CI_COMMIT_REF_NAME={ci_commit_ref}, CI_SERVER_PROTOCOL={ci_server_protocol}, CI_SERVER_HOST={ci_server_host}");
debug!("On default branch");
) => {
trace!("CI_PROJECT_URL={ci_project_url}, CI_DEFAULT_BRANCH={ci_default_branch}, CI_SERVER_PROTOCOL={ci_server_protocol}, CI_SERVER_HOST={ci_server_host}");
info!("Signing image: {image_digest}");
@ -535,73 +563,9 @@ fn sign_images(image_name: &str, tag: Option<&str>) -> Result<()> {
bail!("Failed to verify image!");
}
}
(
_,
_,
_,
_,
_,
_,
_,
Ok(github_event_name),
Ok(github_ref_name),
_,
Ok(cosign_private_key),
) if github_event_name != "pull_request"
&& (github_ref_name == "live" || github_ref_name == "main")
&& !cosign_private_key.is_empty()
&& Path::new(COSIGN_PATH).exists() =>
{
trace!("GITHUB_EVENT_NAME={github_event_name}, GITHUB_REF_NAME={github_ref_name}");
debug!("On live branch");
info!("Signing image: {image_digest}");
trace!("cosign sign --key=env://COSIGN_PRIVATE_KEY {image_digest}");
if Command::new("cosign")
.arg("sign")
.arg("--key=env://COSIGN_PRIVATE_KEY")
.arg(&image_digest)
.status()?
.success()
{
info!("Successfully signed image!");
} else {
bail!("Failed to sign image: {image_digest}");
}
trace!("cosign verify --key {COSIGN_PATH} {image_name_tag}");
if !Command::new("cosign")
.arg("verify")
.arg(format!("--key={COSIGN_PATH}"))
.arg(&image_name_tag)
.status()?
.success()
{
bail!("Failed to verify image!");
}
}
(
_,
_,
_,
_,
_,
_,
Ok(_),
Ok(github_event_name),
Ok(github_ref_name),
Ok(github_worflow_ref),
_,
) if github_event_name != "pull_request"
&& (github_ref_name == "live" || github_ref_name == "main") =>
{
trace!("GITHUB_EVENT_NAME={github_event_name}, GITHUB_REF_NAME={github_ref_name}, GITHUB_WORKFLOW_REF={github_worflow_ref}");
debug!("On {github_ref_name} branch");
// GitHub keyless
(_, _, _, _, _, Ok(_), Ok(github_worflow_ref), _) => {
trace!("GITHUB_WORKFLOW_REF={github_worflow_ref}");
info!("Signing image {image_digest}");
@ -631,7 +595,7 @@ fn sign_images(image_name: &str, tag: Option<&str>) -> Result<()> {
bail!("Failed to verify image!");
}
}
_ => debug!("Not running in CI with cosign variables, not signing"),
_ => warn!("Not running in CI with cosign variables, not signing"),
}
Ok(())
@ -664,20 +628,11 @@ fn get_image_digest(image_name: &str, tag: Option<&str>) -> Result<String> {
fn check_cosign_files() -> Result<()> {
trace!("check_for_cosign_files()");
match (
env::var(GITHUB_EVENT_NAME).ok(),
env::var(GITHUB_REF_NAME).ok(),
env::var(COSIGN_PRIVATE_KEY).ok(),
) {
(Some(github_event_name), Some(github_ref_name), Some(_))
if github_event_name != "pull_request"
&& (github_ref_name == "live" || github_ref_name == "main")
&& Path::new(COSIGN_PATH).exists() =>
{
match env::var(COSIGN_PRIVATE_KEY).ok() {
Some(cosign_priv_key) if !cosign_priv_key.is_empty() && Path::new(COSIGN_PATH).exists() => {
env::set_var("COSIGN_PASSWORD", "");
env::set_var("COSIGN_YES", "true");
debug!("Building on live branch, checking cosign files");
trace!("cosign public-key --key env://COSIGN_PRIVATE_KEY");
let output = Command::new("cosign")
.arg("public-key")
@ -703,7 +658,7 @@ fn check_cosign_files() -> Result<()> {
}
}
_ => {
debug!("Not building on live branch or {COSIGN_PATH} doesn't exist, skipping cosign file check");
warn!("{COSIGN_PATH} doesn't exist, skipping cosign file check");
Ok(())
}
}