Sign container images with cosign (#223)

* Add encrypted Travis env vars

Signed-off-by: Victoria Miltcheva <[email protected]>

* Decrypt encrypted cosign keys in build

Signed-off-by: Victoria Miltcheva <[email protected]>

* Sign container images with cosign

Signed-off-by: Victoria Miltcheva <[email protected]>

* Re-encrypt cosign keys for Travis

Signed-off-by: Victoria Miltcheva <[email protected]>

* Make cosign executable

Signed-off-by: Victoria Miltcheva <[email protected]>

* Parenthesis

Signed-off-by: Victoria Miltcheva <[email protected]>

* Use secure env vars instead

Signed-off-by: Victoria Miltcheva <[email protected]>

* Remove outdated comments

Signed-off-by: Victoria Miltcheva <[email protected]>

---------

Signed-off-by: Victoria Miltcheva <[email protected]>

Author: victoria-miltcheva

.gitignore

@@ -115,3 +115,7 @@ venv.bak/
 # sample file
 sample.csv
 .envrc
+
+# cosign
+cosign.pub
+cosign.key

.travis.yml

@@ -4,28 +4,24 @@ python:
   - "3.9.7" # Matches version in Dockerfiles/Dockerfile.dss
 dist: bionic
 group: beta
-
 services:
   - docker
-
 before_install:
   - test -z "$TRAVIS_TAG" && export VERSION=github-travis-$TRAVIS_BUILD_NUMBER-$(date +%Y%m%d-%H%M%S) || export VERSION=$TRAVIS_TAG
   - echo "Build Version=$VERSION"
 install:
   - make setup
-
 script:
   - make travis-test
-
 deploy:
   provider: script
   script: make travis-deploy
   cleanup: false
   on:
     all_branches: true
     condition: $TRAVIS_BRANCH = main || ! -z $TRAVIS_TAG
-
 cache:
   directories:
     - $HOME/.cache/trivy
     - $HOME/.cache/pre-commit
+    - $HOME/.cache/cosign

Makefile

@@ -43,12 +43,22 @@ COVERAGE := pipenv run coverage
 # Only set if not defined
 VERSION ?= dev
 
+# Docker related
+DOCKER_REGISTRY_ICR := icr.io
+DOCKER_USER_ICR := iamapikey
+DOCKER_PASS_ICR := $(IBM_CLOUD_API_KEY)
+
 # Trivy related
 TRIVY ?= trivy
 TRIVY_VERSION := $(shell curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
 TRIVY_OS := $(shell uname | sed 's/Darwin/macOS/' )
 TRIVY_ARCH := $(shell uname -m | cut -d_ -f2 )
 
+# Cosign related
+COSIGN ?= /tmp/cosign
+COSIGN_VERSION := $(shell curl -s "https://api.github.com/repos/sigstore/cosign/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+
+
 .PHONY: setup-trivy
 setup-trivy:
 	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
@@ -57,6 +67,11 @@ ifdef TRAVIS
 	sudo apt update && sudo apt install rpm -y
 endif
 
+.PHONY: setup-cosign
+setup-cosign:
+	curl -sSfL https://github.com/sigstore/cosign/releases/download/v$(COSIGN_VERSION)/cosign-linux-amd64  -o $(COSIGN)
+	chmod +x $(COSIGN)
+
 .PHONY: setup-deploy-tools
 setup-deploy-tools:
 	curl -Lo container-structure-test https://storage.googleapis.com/container-structure-test/latest/container-structure-test-$(shell uname | tr '[:upper:]' '[:lower:]')-amd64 && sudo install container-structure-test /usr/local/bin/
@@ -68,7 +83,7 @@ setup-deploy-tools:
 	kustomize version
 
 .PHONY: setup
-setup: setup-trivy setup-deploy-tools
+setup: setup-trivy setup-cosign setup-deploy-tools
 	pip install --upgrade pip
 	pip install "setuptools>=65.5.1" pipenv
 	PIP_IGNORE_INSTALLED=1 pipenv install --dev --deploy --ignore-pipfile
@@ -163,6 +178,8 @@ endif
 	# login to cr and set region
 	@ibmcloud cr region-set global
 	@ibmcloud cr login
+	# login to cosign
+	@echo $(DOCKER_PASS_ICR) | $(COSIGN) login -u $(DOCKER_USER_ICR) --password-stdin $(DOCKER_REGISTRY_ICR)
 
 .PHONY: build-images
 build-images:
@@ -182,6 +199,13 @@ quality-images:
 .PHONY: deploy
 deploy:
 	skaffold build
+	for image in $(shell skaffold build -q --dry-run | jq -r .builds[].tag); do \
+		@echo "Signing image $${image}"; \
+		$(COSIGN) sign --key env://COSIGN_PRIVATE_KEY --yes $${image}; \
+
+		@echo "Verifying image $${image}; \
+		$(COSIGN) verify --key env://COSIGN_PUBLIC_KEY $${image}; \
+	done;
 
 .PHONY: clean
 clean: