enable the sbom for rekor releases (#586)

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

enable the sbom for rekor releases (#586)
9be5a847 · Carlos Tadeu Panato Junior · GitHub · a61d5f63 · 9be5a847 · 9be5a847
Unverified Commit 9be5a847 authored 3 years ago by Carlos Tadeu Panato Junior Committed by GitHub 3 years ago
--- a/.github/workflows/validate-release.yml
+++ b/.github/workflows/validate-release.yml
@@ -45,6 +45,7 @@ jobs:
      - uses: actions/setup-go@v2
        with:
          go-version: ${{ env.GOVERSION }}
+      - uses: anchore/sbom-action/download-syft@v0.6.0 # installs syft
      - name: Install GoReleaser
        uses: goreleaser/goreleaser-action@v2
        with:

--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -14,6 +14,9 @@ before:
 gomod:
  proxy: true

+sboms:
+- artifacts: binary
+
 builds:
  - id: rekor-server-linux
    binary: rekor-server-linux-{{ .Arch }}
@@ -72,11 +75,18 @@ signs:
    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
    artifacts: binary
  # Keyless
-  - id: cosign-keyless
+  - id: rekor-keyless
    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
    cmd: cosign
-    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "${artifact}"]
+    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
    artifacts: binary
+  - id: checksum-keyless
+    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
+    artifacts: checksum

 archives:
  - format: binary
@@ -97,5 +107,3 @@ release:
    name: rekor
  footer: |
    ### Thanks for all contributors!
-  extra_files:
-    - glob: "./release/release-cosign.pub"
--- a/release/cloudbuild.yaml
+++ b/release/cloudbuild.yaml
@@ -34,13 +34,16 @@ steps:

 - name: 'gcr.io/projectsigstore/cosign:v1.4.1@sha256:502d5130431e45f28c51d2c24a05ef5ccd3fd916bcc91db0c8bee3a81e09a0bb'
  dir: "go/src/sigstore/rekor"
+  env:
+  - COSIGN_EXPERIMENTAL=true
+  - TUF_ROOT=/tmp
  args:
  - 'verify'
  - '--key'
  - 'https://raw.githubusercontent.com/gythialy/golang-cross/main/cosign.pub'
-  - 'ghcr.io/gythialy/golang-cross:v1.17.5-1@sha256:f6cc024baf829eaa61972c7fd20d0d62bf9faad31246fd61d9d78fc122cbcd29'
+  - 'ghcr.io/gythialy/golang-cross:v1.17.5-4@sha256:e1ae043ca969c0b46bb23aa3dd0443a9271c2f665513168091864aa3b751f12a'

- name: ghcr.io/gythialy/golang-cross:v1.17.5-1@sha256:f6cc024baf829eaa61972c7fd20d0d62bf9faad31246fd61d9d78fc122cbcd29
+- name: ghcr.io/gythialy/golang-cross:v1.17.5-4@sha256:e1ae043ca969c0b46bb23aa3dd0443a9271c2f665513168091864aa3b751f12a
  entrypoint: /bin/sh
  dir: "go/src/sigstore/rekor"
  env:
@@ -61,7 +64,7 @@ steps:
    - |
      make release

- name: ghcr.io/gythialy/golang-cross:v1.17.5-1@sha256:f6cc024baf829eaa61972c7fd20d0d62bf9faad31246fd61d9d78fc122cbcd29
+- name: ghcr.io/gythialy/golang-cross:v1.17.5-4@sha256:e1ae043ca969c0b46bb23aa3dd0443a9271c2f665513168091864aa3b751f12a
  entrypoint: 'bash'
  dir: "go/src/sigstore/rekor"
  env: