From: Jessica Wagantall <jwagantall@linuxfoundation.org>
Date: Tue, 12 Dec 2023 23:25:36 +0000 (-0800)
Subject: Feat: Use Sigstore Cosign to sign docker images and push signature
X-Git-Tag: v0.89.6^0
X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?p=releng%2Fglobal-jjb.git;a=commitdiff_plain;h=effb1b53b942658210b4e408030233fb822da900

Feat: Use Sigstore Cosign to sign docker images and push signature

In order to enable, the project needs to create their keypair and
credentials in Jenkins for cosign-password (keypair password) and
cosign-private-key.

Issue: RELENG-5014
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
Change-Id: Ie3e73cb10445b5139417c62fb534ba883a0ad499
---

diff --git a/jjb/lf-release-jobs.yaml b/jjb/lf-release-jobs.yaml
index 285e570b..229b86e8 100644
--- a/jjb/lf-release-jobs.yaml
+++ b/jjb/lf-release-jobs.yaml
@@ -195,6 +195,8 @@
 
     build-days-to-keep: 7
     build-timeout: 15
+    cosign-password-id: cosign-password
+    cosign-private-key-id: cosign-private-key
     disable-job: false
     git-url: "$GIT_URL/$PROJECT"
     stream: master
@@ -269,6 +271,13 @@
       - lf-infra-wrappers:
           build-timeout: "{build-timeout}"
           jenkins-ssh-credential: "{jenkins-ssh-release-credential}"
+      - credentials-binding:
+          - file:
+              credential-id: "{cosign-private-key-id}"
+              variable: COSIGN_PRIVATE_KEY
+          - text:
+              credential-id: "{cosign-password-id}"
+              variable: COSIGN_PASSWORD
 
     scm:
       - lf-infra-gerrit-scm:
@@ -313,6 +322,13 @@
       - lf-infra-wrappers:
           build-timeout: "{build-timeout}"
           jenkins-ssh-credential: "{jenkins-ssh-credential}"
+      - credentials-binding:
+          - file:
+              credential-id: "{cosign-private-key-id}"
+              variable: COSIGN_PRIVATE_KEY
+          - text:
+              credential-id: "{cosign-password-id}"
+              variable: COSIGN_PASSWORD
 
     scm:
       - lf-infra-github-scm:
diff --git a/releasenotes/notes/sign-images-cosign-b60035ec3e8e5c62.yaml b/releasenotes/notes/sign-images-cosign-b60035ec3e8e5c62.yaml
new file mode 100644
index 00000000..2ca95d0c
--- /dev/null
+++ b/releasenotes/notes/sign-images-cosign-b60035ec3e8e5c62.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Use Sigstore Cosign to sign docker images and push signature.
+    In order to enable, the project needs to create their keypair and
+    credentials in Jenkins for cosign-password (keypair password) and
+    cosign-private-key.
diff --git a/shell/release-job.sh b/shell/release-job.sh
index 6c280d20..57e40387 100644
--- a/shell/release-job.sh
+++ b/shell/release-job.sh
@@ -443,8 +443,16 @@ container_release_file(){
             echo "docker tag $container_image_id $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
             echo "docker push $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
             if [[ "$JOB_NAME" =~ "merge" ]]; then
+                curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+                sudo mv cosign-linux-amd64 /usr/local/bin/cosign
+                sudo chmod +x /usr/local/bin/cosign
+                export COSIGN_PASSWORD
                 docker tag "$container_image_id" "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
                 docker push "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
+                image_sha=$(docker images --no-trunc --quiet \
+                        "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION")
+                image_digest="$CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name@$image_sha"
+                cosign sign -y --key "$COSIGN_PRIVATE_KEY" "$image_digest"
             fi
             echo "#########################"
         fi