Add signing of binaries using Cosign

hslatman · Aug 13, 2021 · e2437ee · e2437ee
1 parent df09e3a
commit e2437ee
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 9 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,4 +1,4 @@
-name: Go
+name: Build & Release
 
 on:
   #push:
@@ -32,15 +32,55 @@ jobs:
 
     - name: Test
       run: go test -v ./...
+
+  release:
+    needs: build
+    env:
+      #DOCKER_CLI_EXPERIMENTAL: "enabled"
+      #UPX_VERSION: "3.96"
+      COSIGN_KEY_LOCATION: "/tmp/cosign.key"
+    runs-on: ubuntu-latest
+    #if: success() && startsWith(github.ref, 'refs/tags/')
+    if: success()
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
 
-    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # using commit hash instead of 'v2' because this uses the GITHUB_TOKEN, see https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
-      with:
-        version: latest
-        args: release --rm-dist
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GO_VERSION: ${{ matrix.go-version }}
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+
+      - uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.0.0'
+
+      - name: install cosign private key
+        run: 'echo "$COSIGN_KEY" > $COSIGN_KEY_LOCATION'
+        shell: bash
+        env:
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # using commit hash instead of 'v2' because this uses the GITHUB_TOKEN, see https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          GO_VERSION: 1.16
+
+      # - name: set version as env
+      #   run: |
+      #     tag=$(git describe --tags --abbrev=0 | tr --delete v)
+      #     echo "version=$tag" >> $GITHUB_ENV
+
+      # - name: Sign the image
+      #   run: |
+      #     echo -n "${{secrets.COSIGN_PASSWORD}}" | cosign sign -key $COSIGN_KEY_LOCATION ghcr.io/hslatman/mud-cli:${{ env.version }}-amd64
 
 
     # only continue if the tag was pushed onto the main branch

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -41,6 +41,11 @@ builds:
     # .XXX variables come from GoReleaser name templates, see https://goreleaser.com/customization/templates/
     #ldflags:
     # - -s -w -X main.version={{.Tag}} -X main.date={{.Date}} -X main.goVersion={{.Env.GO_VERSION}} -X main.platform={{.Os}}/{{.Arch}} -X main.commit={{.Commit}}
+    hooks:
+      post:
+        #- upx "{{ .Path }}"
+        - sh -c "cosign sign-blob -key $COSIGN_KEY_LOCATION {{ .Path }} > dist/{{ .ProjectName }}_{{ .Tag }}_{{ .Target }}.sig"
+
 
 
 # The binaries built will be archived together with the README and LICENSE files into a tar.gz file.
@@ -93,6 +98,8 @@ release:
   # Default is `{{.Tag}}`
   # .XXX variables come from GoReleaser name templates, see https://goreleaser.com/customization/templates/
   name_template: "{{.ProjectName}}-{{.Tag}}"
+  extra_files:
+    - glob: dist/*.sig
 
 
 # https://goreleaser.com/customization/checksum/

diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2y8YbP/Au/T2iFWQZw8EIm62Z3ZM
+aJsCoD/g2niT5xnEkxWbcepWLstLI/rGRAtS5Q4ac8C5/Qmr061PLJS3wg==
+-----END PUBLIC KEY-----