From effb1b53b942658210b4e408030233fb822da900 Mon Sep 17 00:00:00 2001 From: Jessica Wagantall Date: Tue, 12 Dec 2023 15:25:36 -0800 Subject: [PATCH] Feat: Use Sigstore Cosign to sign docker images and push signature In order to enable, the project needs to create their keypair and credentials in Jenkins for cosign-password (keypair password) and cosign-private-key. Issue: RELENG-5014 Signed-off-by: Jessica Wagantall Change-Id: Ie3e73cb10445b5139417c62fb534ba883a0ad499 --- jjb/lf-release-jobs.yaml | 16 ++++++++++++++++ .../notes/sign-images-cosign-b60035ec3e8e5c62.yaml | 7 +++++++ shell/release-job.sh | 8 ++++++++ 3 files changed, 31 insertions(+) create mode 100644 releasenotes/notes/sign-images-cosign-b60035ec3e8e5c62.yaml diff --git a/jjb/lf-release-jobs.yaml b/jjb/lf-release-jobs.yaml index 285e570b..229b86e8 100644 --- a/jjb/lf-release-jobs.yaml +++ b/jjb/lf-release-jobs.yaml @@ -195,6 +195,8 @@ build-days-to-keep: 7 build-timeout: 15 + cosign-password-id: cosign-password + cosign-private-key-id: cosign-private-key disable-job: false git-url: "$GIT_URL/$PROJECT" stream: master @@ -269,6 +271,13 @@ - lf-infra-wrappers: build-timeout: "{build-timeout}" jenkins-ssh-credential: "{jenkins-ssh-release-credential}" + - credentials-binding: + - file: + credential-id: "{cosign-private-key-id}" + variable: COSIGN_PRIVATE_KEY + - text: + credential-id: "{cosign-password-id}" + variable: COSIGN_PASSWORD scm: - lf-infra-gerrit-scm: @@ -313,6 +322,13 @@ - lf-infra-wrappers: build-timeout: "{build-timeout}" jenkins-ssh-credential: "{jenkins-ssh-credential}" + - credentials-binding: + - file: + credential-id: "{cosign-private-key-id}" + variable: COSIGN_PRIVATE_KEY + - text: + credential-id: "{cosign-password-id}" + variable: COSIGN_PASSWORD scm: - lf-infra-github-scm: diff --git a/releasenotes/notes/sign-images-cosign-b60035ec3e8e5c62.yaml b/releasenotes/notes/sign-images-cosign-b60035ec3e8e5c62.yaml new file mode 100644 index 00000000..2ca95d0c --- /dev/null +++ b/releasenotes/notes/sign-images-cosign-b60035ec3e8e5c62.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Use Sigstore Cosign to sign docker images and push signature. + In order to enable, the project needs to create their keypair and + credentials in Jenkins for cosign-password (keypair password) and + cosign-private-key. diff --git a/shell/release-job.sh b/shell/release-job.sh index 6c280d20..57e40387 100644 --- a/shell/release-job.sh +++ b/shell/release-job.sh @@ -443,8 +443,16 @@ container_release_file(){ echo "docker tag $container_image_id $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION" echo "docker push $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION" if [[ "$JOB_NAME" =~ "merge" ]]; then + curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" + sudo mv cosign-linux-amd64 /usr/local/bin/cosign + sudo chmod +x /usr/local/bin/cosign + export COSIGN_PASSWORD docker tag "$container_image_id" "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION" docker push "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION" + image_sha=$(docker images --no-trunc --quiet \ + "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION") + image_digest="$CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name@$image_sha" + cosign sign -y --key "$COSIGN_PRIVATE_KEY" "$image_digest" fi echo "#########################" fi -- 2.16.6