Cosign integration. Docker images signature and validation in github …

…actions.
groldan · Jul 2, 2024 · 2d1e3a9 · 2d1e3a9
1 parent 597051f
commit 2d1e3a9
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 4 deletions.
diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
@@ -21,6 +21,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
+    - name: Install Cosign
+      uses: sigstore/[email protected]
+
     - name: Login to Docker Hub
       uses: docker/login-action@v1
       with:
@@ -31,16 +34,14 @@ jobs:
       uses: actions/checkout@v2
       with:
         submodules: recursive
+
     - name: Setup Java
       uses: actions/setup-java@v2
       with:
         distribution: 'temurin'
         java-version: '21'
         cache: 'maven'
 
-    - name: Validate source code formatting
-      run: make lint
-
     - name: Build without tests
       run: |
         make install
@@ -57,3 +58,19 @@ jobs:
       run: |
         rm -rf ~/.m2/repository/org/geoserver
         find ~/.m2/repository -name "*SNAPSHOT*" -type d | xargs rm -rf {}
+
+    - name: Sign images
+      if: ${{ startsWith(github.ref, 'refs/tags/') }}
+      env:
+        COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      run: |
+        make sign-image
+
+    - name: Verify image signatures
+      if: ${{ startsWith(github.ref, 'refs/tags/') }}
+      env:
+        COSIGN_PUB_KEY: ${{ secrets.COSIGN_PUB_KEY }}
+        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      run: |
+        make verify-image
diff --git a/Makefile b/Makefile
@@ -1,6 +1,7 @@
 all: install test build-image
 
 TAG=`mvn help:evaluate -Dexpression=project.version -q -DforceStdout`
+COSIGN_PASSWORD := $(COSIGN_PASSWORD)
 
 clean:
 	./mvnw clean
@@ -17,7 +18,6 @@ install:
 test:
 	./mvnw verify -ntp -T4
 
-
 build-base-images:
 	./mvnw clean package -f src/apps/base-images -DksipTests -T4 && \
 	COMPOSE_DOCKER_CLI_BUILD=1 \
@@ -47,3 +47,34 @@ push-image:
 	-f docker-build/infrastructure.yml \
 	-f docker-build/geoserver.yml \
 	push
+
+.PHONY: sign-image
+sign-image:
+	@bash -c '\
+	images=$$(docker images --format "{{.Repository}}@{{.Digest}}" | grep "geoserver-cloud-"); \
+	for image in $$images; do \
+	  echo "Signing $$image"; \
+	  output=$$(cosign sign --yes --key env://COSIGN_KEY --recursive $$image 2>&1); \
+	  if [ $$? -ne 0 ]; then \
+	    echo "Error occurred: $$output"; \
+	    exit 1; \
+	  else \
+	    echo "Signing successful: $$output"; \
+	  fi; \
+	done'
+
+.PHONY: verify-image
+verify-image:
+	@bash -c '\
+	images=$$(docker images --format "{{.Repository}}@{{.Digest}}" | grep "geoserver-cloud-"); \
+	for image in $$images; do \
+	  echo "Verifying $$image"; \
+	  output=$$(cosign verify --key env://COSIGN_PUB_KEY $$image 2>&1); \
+	  if [ $$? -ne 0 ]; then \
+	    echo "Error occurred: $$output"; \
+	    exit 1; \
+	  else \
+	    echo "Verification successful: $$output"; \
+	  fi; \
+	done'
+