diff --git a/.github/workflows/add-remove-new-fulcio.yaml b/.github/workflows/add-remove-new-fulcio.yaml index 963908d86..c63fde1fe 100644 --- a/.github/workflows/add-remove-new-fulcio.yaml +++ b/.github/workflows/add-remove-new-fulcio.yaml @@ -73,7 +73,7 @@ jobs: - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Setup Cluster uses: chainguard-dev/actions/setup-kind@b479012116eacde7f895586c17b598f7ba0ee700 # v1.5.9 @@ -141,15 +141,9 @@ jobs: - name: Get the endpoints on the cluster run: | - REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') - echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV - FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV - #FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}') - #echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV - CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV @@ -160,21 +154,18 @@ jobs: - name: Sign with cosign from the action using k8s token run: | - cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN} + cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN} env: - REKOR_URL: ${{ env.REKOR_URL }} - FULCIO_URL: ${{ env.FULCIO_URL }} DEMOIMAGE: ${{ env.demoimage }} OIDC_TOKEN: ${{ env.OIDC_TOKEN }} - name: Verify with cosign from the action using k8s token run: | - cosign verify --rekor-url "${REKOR_URL}" \ + cosign verify \ --allow-insecure-registry "${DEMOIMAGE}" \ --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \ --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" env: - REKOR_URL: ${{ env.REKOR_URL }} DEMOIMAGE: ${{ env.demoimage }} - name: Spin up a new Fulcio with new keys diff --git a/.github/workflows/fulcio-rekor-kind.yaml b/.github/workflows/fulcio-rekor-kind.yaml index aa90ad4da..5635993f4 100644 --- a/.github/workflows/fulcio-rekor-kind.yaml +++ b/.github/workflows/fulcio-rekor-kind.yaml @@ -73,7 +73,7 @@ jobs: - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Setup Cluster uses: chainguard-dev/actions/setup-kind@b479012116eacde7f895586c17b598f7ba0ee700 # v1.5.9 @@ -143,18 +143,6 @@ jobs: - name: Get the endpoints on the cluster run: | - REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') - echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV - - FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') - echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV - - #FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}') - #echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV - - CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') - echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV - ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}') echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV OIDC_TOKEN=`curl -s $ISSUER_URL` @@ -165,26 +153,23 @@ jobs: - name: Sign with cosign from the action using k8s token run: | - cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN} + cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN} env: - REKOR_URL: ${{ env.REKOR_URL }} - FULCIO_URL: ${{ env.FULCIO_URL }} DEMOIMAGE: ${{ env.demoimage }} OIDC_TOKEN: ${{ env.OIDC_TOKEN }} - name: Verify with cosign from the action using k8s token run: | - cosign verify --rekor-url "${REKOR_URL}" \ + cosign verify \ --allow-insecure-registry "${DEMOIMAGE}" \ --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \ --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" env: - REKOR_URL: ${{ env.REKOR_URL }} DEMOIMAGE: ${{ env.demoimage }} - name: Sign a blob with signature bundle format run: | - cosign sign-blob --yes --new-bundle-format=true --bundle=bundle.json --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL --identity-token $OIDC_TOKEN README.md + cosign sign-blob --yes --new-bundle-format=true --bundle=bundle.json --identity-token $OIDC_TOKEN README.md - name: Verify blob with signature bundle format using trusted_root.json run: | @@ -197,7 +182,6 @@ jobs: --certificate-identity-regexp="https://kubernetes.io/namespaces/default/serviceaccounts/default" \ --certificate-oidc-issuer-regexp="https://kubernetes.default.svc.cluster.local" \ --bundle=bundle.json --new-bundle-format \ - --rekor-url $REKOR_URL \ --trusted-root=$HOME/.sigstore/root/$TUF_MIRROR/targets/trusted_root.json \ README.md env: @@ -225,7 +209,7 @@ jobs: # ROOT=${PWD}/repository/1.root.json # REPOSITORY=${PWD}/repository # ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY} - # ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} + # ./cosign verify --allow-insecure-registry ${{ env.demoimage }} - name: Checkout TSA for testing. uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e14b06fed..7539f16e9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -37,7 +37,7 @@ jobs: uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Install cosign - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Install GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 diff --git a/.github/workflows/test-action-tuf.yaml b/.github/workflows/test-action-tuf.yaml index da2a0b495..b776c4726 100644 --- a/.github/workflows/test-action-tuf.yaml +++ b/.github/workflows/test-action-tuf.yaml @@ -47,7 +47,7 @@ jobs: # Install cosign - name: Install cosign - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Set up Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 @@ -80,21 +80,18 @@ jobs: - name: Sign with cosign from the action using k8s token run: | - cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN} + cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN} env: - REKOR_URL: ${{ env.REKOR_URL }} - FULCIO_URL: ${{ env.FULCIO_URL }} DEMOIMAGE: ${{ env.demoimage }} OIDC_TOKEN: ${{ env.OIDC_TOKEN }} - name: Verify with cosign from the action using k8s token run: | - cosign verify --rekor-url "${REKOR_URL}" \ + cosign verify \ --allow-insecure-registry "${DEMOIMAGE}" \ --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \ --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" env: - REKOR_URL: ${{ env.REKOR_URL }} DEMOIMAGE: ${{ env.demoimage }} - name: Checkout TSA for testing. diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index 129e66bbe..364821456 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -38,7 +38,7 @@ jobs: steps: - uses: chainguard-dev/actions/setup-mirror@b479012116eacde7f895586c17b598f7ba0ee700 # v1.5.9 - - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Set up Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 @@ -74,18 +74,10 @@ jobs: /tmp/setup-scaffolding-from-release.sh --release-version ${RELEASE_VERSION} # TODO(vaikas): Figure out how these could be exposed by above. - REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') - FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') - FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}') - CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}') # Set the endopints - echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV - echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV - echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV - echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV @@ -132,21 +124,18 @@ jobs: - name: Sign with cosign from the action using k8s token run: | - cosign sign --yes --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN} + cosign sign --yes --allow-insecure-registry ${DEMOIMAGE} --identity-token ${OIDC_TOKEN} env: - REKOR_URL: ${{ env.REKOR_URL }} - FULCIO_URL: ${{ env.FULCIO_URL }} DEMOIMAGE: ${{ env.demoimage }} OIDC_TOKEN: ${{ env.OIDC_TOKEN }} - name: Verify with cosign from the action using k8s token run: | - cosign verify --rekor-url "${REKOR_URL}" \ + cosign verify \ --allow-insecure-registry "${DEMOIMAGE}" \ --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \ --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" env: - REKOR_URL: ${{ env.REKOR_URL }} DEMOIMAGE: ${{ env.demoimage }} - name: Checkout TSA for testing. diff --git a/.github/workflows/test-setup-sigstore-env.yml b/.github/workflows/test-setup-sigstore-env.yml index d26d182f4..a64b96f1b 100644 --- a/.github/workflows/test-setup-sigstore-env.yml +++ b/.github/workflows/test-setup-sigstore-env.yml @@ -17,7 +17,7 @@ jobs: persist-credentials: false - id: setup-sigstore-env uses: ./actions/setup-sigstore-env - - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 with: cosign-release: main - name: Create artifact to sign @@ -25,28 +25,30 @@ jobs: - name: Run cosign sign-blob env: SIGSTORE_CT_LOG_PUBLIC_KEY_FILE: ${{ steps.setup-sigstore-env.outputs.ct-log-key }} - STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_URL: ${{ steps.setup-sigstore-env.outputs.oidc-url }} - STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_TOKEN: ${{ steps.setup-sigstore-env.outputs.oidc-token }} + OIDC_URL: ${{ steps.setup-sigstore-env.outputs.oidc-url }} + OIDC_TOKEN: ${{ steps.setup-sigstore-env.outputs.oidc-token }} + TRUSTED_ROOT: ${{ steps.setup-sigstore-env.outputs.trusted-root }} + SIGNING_CONFIG: ${{ steps.setup-sigstore-env.outputs.signing-config }} run: | echo token: - curl -f ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_URL}/token + curl -f ${OIDC_URL}/token cosign sign-blob \ -y \ --bundle=bundle.json \ --new-bundle-format=true \ - --rekor-url http://localhost:3000 \ - --fulcio-url http://localhost:5555 \ - --identity-token ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_OIDC_TOKEN} \ + --trusted-root ${TRUSTED_ROOT} \ + --signing-config ${SIGNING_CONFIG} \ + --identity-token ${OIDC_TOKEN} \ artifact - name: Run cosign verify-blob with trusted root run: | cosign verify-blob \ - --trusted-root ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_TRUSTED_ROOT} \ + --trusted-root ${TRUSTED_ROOT} \ --bundle bundle.json \ --new-bundle-format=true \ --certificate-identity foo@bar.com \ - --certificate-oidc-issuer ${STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_ISSUER_URL} \ + --certificate-oidc-issuer ${ISSUER_URL} \ artifact env: - STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_TRUSTED_ROOT: ${{ steps.setup-sigstore-env.outputs.trusted-root }} - STEPS_SETUP_SIGSTORE_ENV_OUTPUTS_ISSUER_URL: ${{ steps.setup-sigstore-env.outputs.issuer-url }} + TRUSTED_ROOT: ${{ steps.setup-sigstore-env.outputs.trusted-root }} + ISSUER_URL: ${{ steps.setup-sigstore-env.outputs.issuer-url }}