release: add keyless signatures and update pipeline (#533)

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

release: add keyless signatures and update pipeline (#533)
790a0b20 · Carlos Tadeu Panato Junior · GitHub · 0d710d71 · 790a0b20 · 790a0b20
Unverified Commit 790a0b20 authored 3 years ago by Carlos Tadeu Panato Junior Committed by GitHub 3 years ago
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -4,12 +4,16 @@ env:
  - GO111MODULE=on
  - CGO_ENABLED=0
  - DOCKER_CLI_EXPERIMENTAL=enabled
+  - COSIGN_EXPERIMENTAL=true

 # Prevents parallel builds from stepping on eachothers toes downloading modules
 before:
  hooks:
    - go mod tidy

+gomod:
+  proxy: true
+
 builds:
  - id: rekor-server-linux
    binary: rekor-server-linux-{{ .Arch }}
@@ -65,7 +69,13 @@ builds:
 signs:
  - signature: "${artifact}.sig"
    cmd: cosign
-    args: ["sign-blob", "--output", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
+    artifacts: binary
+  # Keyless
+  - id: cosign-keyless
+    signature: "${artifact}-keyless.sig"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "${artifact}"]
    artifacts: binary

 archives:

--- a/release/README.md
+++ b/release/README.md
@@ -19,12 +19,19 @@ and a list of authors by running:
 git log --pretty="* %an" --after="YYYY-MM-DD" | sort -u
 ```

+2. Tag the repository

-2. Submit the cloudbuild Job using the following command:
+```shell
+$ export RELEASE_TAG=<release version, eg "v1.1.0">
+$ git tag -s ${RELEASE_TAG} -m "${RELEASE_TAG}"
+$ git push origin ${RELEASE_TAG}
+```
+
+3. Submit the cloudbuild Job using the following command:

 ```shell
 $ gcloud builds submit --config <PATH_TO_CLOUDBUILD> \
-   --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=rekor,_TOOL_REF=main,_STORAGE_LOCATION=rekor-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME> \
+   --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=rekor,_STORAGE_LOCATION=rekor-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME> \
   --project <GCP_PROJECT>
 ```

@@ -35,22 +42,20 @@ Where:
 - `_GIT_TAG` is the release version we are publishing, this will also create the GitHub Tag.
 - `_TOOL_ORG` is the GitHub Org we will use. Default `sigstore`.
 - `_TOOL_REPO` is the repository we will use to clone. Default `cosign`.
- `_TOOL_REF` is the branch we will use to cut a release. Default `main`.
 - `_STORAGE_LOCATION` where to push the built artifacts. Default `cosign-releases`.
 - `_KEY_RING` key ring name of your cosign key.
 - `_KEY_NAME` key name of your  cosign key.
 - `_KEY_VERSION` version of the key storaged in KMS. Default `1`.
 - `_KEY_LOCATION` location in GCP where the key is storaged. Default `global`.

-
-3. When the job finish, whithout issues, you should be able to see in GitHub a draft release.
+4. When the job finish, whithout issues, you should be able to see in GitHub a draft release.
 You now can review the release, make any changes if needed and then publish to make it an official release.

-4. Send an annoucement email to `sigstore-dev@googlegroups.com` mailling list
+5. Send an annoucement email to `sigstore-dev@googlegroups.com` mailling list

-5. Tweet about the new release with a fun new trigonometry pun!
+6. Tweet about the new release with a fun new trigonometry pun!

-6. Honk!
+7. Honk!

 #### After the release:


--- a/release/cloudbuild.yaml
+++ b/release/cloudbuild.yaml
@@ -29,8 +29,8 @@ steps:
  - '-c'
  - |
    git fetch
-    echo "Checking out ${_TOOL_REF}"
-    git checkout ${_TOOL_REF}
+    echo "Checking out ${_GIT_TAG}"
+    git checkout ${_GIT_TAG}

 - name: 'gcr.io/projectsigstore/cosign:1.3.0@sha256:65de2f3f2844815ed20ab939319e3dad4238a9aaaf4893b22ec5702e9bc33755'
  dir: "go/src/sigstore/rekor"
@@ -38,9 +38,9 @@ steps:
  - 'verify'
  - '--key'
  - 'https://raw.githubusercontent.com/gythialy/golang-cross/master/cosign.pub'
-  - 'ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae'
+  - 'ghcr.io/gythialy/golang-cross:v1.17.5-0@sha256:f7a5d5a79a47d51790e8e7fb1c699e42db765f063fb47537f8e17afe302be803'

- name: ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae
+- name: ghcr.io/gythialy/golang-cross:v1.17.5-0@sha256:f7a5d5a79a47d51790e8e7fb1c699e42db765f063fb47537f8e17afe302be803
  entrypoint: /bin/sh
  dir: "go/src/sigstore/rekor"
  env:
@@ -52,15 +52,16 @@ steps:
  - KEY_NAME=${_KEY_NAME}
  - KEY_VERSION=${_KEY_VERSION}
  - GIT_TAG=${_GIT_TAG}
+  - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
+  - COSIGN_EXPERIMENTAL=true
  secretEnv:
  - GITHUB_TOKEN
  args:
    - '-c'
    - |
-      git tag ${_GIT_TAG}
      make release

- name: ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae
+- name: ghcr.io/gythialy/golang-cross:v1.17.5-0@sha256:f7a5d5a79a47d51790e8e7fb1c699e42db765f063fb47537f8e17afe302be803
  entrypoint: 'bash'
  dir: "go/src/sigstore/rekor"
  env:
@@ -73,13 +74,16 @@ steps:
  - KEY_VERSION=${_KEY_VERSION}
  - GIT_TAG=${_GIT_TAG}
  - KO_PREFIX=gcr.io/${PROJECT_ID}
+  - COSIGN_EXPERIMENTAL=true
+  - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
  secretEnv:
  - GITHUB_TOKEN
  args:
    - '-c'
    - |
      gcloud auth configure-docker \
-      && make sign-container-release
+      && make sign-container-release \
+      && make sign-keyless-release

 availableSecrets:
  secretManager:
@@ -91,6 +95,7 @@ artifacts:
    location: 'gs://${_STORAGE_LOCATION}/${_GIT_TAG}'
    paths:
    - "go/src/sigstore/rekor/dist/rekor*"
+    - "go/src/sigstore/rekor/release/release-cosign.pub"

 options:
  machineType: E2_HIGHCPU_8
@@ -100,13 +105,11 @@ tags:
 - ${_GIT_TAG}
 - ${_TOOL_ORG}
 - ${_TOOL_REPO}
- ${_TOOL_REF}

 substitutions:
  _GIT_TAG: 'v0.0.0'
  _TOOL_ORG: 'honk'
  _TOOL_REPO: 'honk-repo'
-  _TOOL_REF: 'release-honk'
  _STORAGE_LOCATION: 'honk'
  _KEY_RING: 'honk-ring'
  _KEY_NAME: 'honk-crypto'

--- a/release/release.mk
+++ b/release/release.mk
@@ -12,6 +12,10 @@ release:
 snapshot:
 	CLIENT_LDFLAGS="$(CLI_LDFLAGS)" SERVER_LDFLAGS="$(SERVER_LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist

+###########################
+# sign with GCP KMS section
+###########################
+
 .PHONY: sign-rekor-server-release
 sign-rekor-server-release:
 	cosign sign --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/rekor-server:$(GIT_VERSION)
@@ -23,6 +27,21 @@ sign-rekor-cli-release:
 .PHONY: sign-container-release
 sign-container-release: ko sign-rekor-server-release sign-rekor-cli-release

+######################
+# sign keyless section
+######################
+
+.PHONY: sign-keyless-rekor-server-release
+sign-keyless-rekor-server-release:
+	cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/rekor-server:$(GIT_VERSION)
+
+.PHONY: sign-keyless-rekor-cli-release
+sign-keyless-rekor-cli-release:
+	cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/rekor-cli:$(GIT_VERSION)
+
+.PHONY: sign-keyless-release
+sign-keyless-release: sign-keyless-rekor-server-release sign-keyless-rekor-cli-release
+
 ## --------------------------------------
 ## Dist / maybe we can deprecate
 ## --------------------------------------