Skip to content

Commit b5380a4

Browse files
crazy-maxcrazy-max
committed
check dependencies signatures
Signed-off-by: CrazyMax <[email protected]>
1 parent 7643588 commit b5380a4

File tree

2 files changed

+174
-0
lines changed

2 files changed

+174
-0
lines changed

.github/workflows/bake.yml

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,93 @@ jobs:
162162
with:
163163
script: |
164164
await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
165+
-
166+
name: Install Cosign
167+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
168+
env:
169+
INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
170+
with:
171+
script: |
172+
const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
173+
const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
174+
175+
const inpCosignVersion = core.getInput('cosign-version');
176+
177+
const cosignInstall = new Install();
178+
const cosignBinPath = await cosignInstall.download({
179+
version: core.getInput('cosign-version'),
180+
ghaNoCache: true,
181+
skipState: true,
182+
verifySignature: true
183+
});
184+
const cosignPath = await cosignInstall.install(cosignBinPath);
185+
186+
const cosign = new Cosign();
187+
await cosign.printVersion();
188+
-
189+
name: Set up Docker Buildx
190+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
191+
with:
192+
version: ${{ env.BUILDX_VERSION }}
193+
cache-binary: false
194+
buildkitd-flags: --debug
195+
-
196+
name: Check dependencies signatures
197+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
198+
env:
199+
INPUT_IMAGES: |
200+
${{ env.BUILDKIT_IMAGE }}
201+
${{ env.SBOM_IMAGE }}
202+
${{ env.BINFMT_IMAGE }}
203+
with:
204+
script: |
205+
const { ImageTools } = require('@docker/actions-toolkit/lib/buildx/imagetools');
206+
const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
207+
208+
const inpImages = core.getMultilineInput('images');
209+
const imageTools = new ImageTools();
210+
211+
for (const image of inpImages) {
212+
await core.group(`Verifying ${image}`, async () => {
213+
const attestationDigests = await imageTools.attestationDigests(image);
214+
if (attestationDigests.length === 0) {
215+
core.setFailed(`No attestation manifests found for ${image}`);
216+
return;
217+
}
218+
const imageName = image.split(':', 1)[0];
219+
for (const attestationDigest of attestationDigests) {
220+
const attestationRef = `${imageName}@${attestationDigest}`;
221+
const cosignArgs = [
222+
'verify',
223+
'--experimental-oci11',
224+
'--new-bundle-format',
225+
'--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
226+
'--certificate-identity-regexp', `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$`
227+
];
228+
core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
229+
const execRes = await exec.getExecOutput('cosign', ['--verbose', ...cosignArgs, attestationRef], {
230+
ignoreReturnCode: true,
231+
silent: true,
232+
env: Object.assign({}, process.env, {
233+
COSIGN_EXPERIMENTAL: '1'
234+
})
235+
});
236+
const verifyResult = Cosign.parseCommandOutput(execRes.stderr.trim());
237+
if (execRes.exitCode === 0) {
238+
core.info(`Signature manifest verified: https://oci.dag.dev/?image=${signedRes.imageName}@${verifyResult.signatureManifestDigest}`);
239+
} else {
240+
if (verifyResult.errors && verifyResult.errors.length > 0) {
241+
const errorMessages = verifyResult.errors.map(e => `- [${e.code}] ${e.message} : ${e.detail}`).join('\n');
242+
core.setFailed(`Cosign verify command failed with errors:\n${errorMessages}`);
243+
return;
244+
} else {
245+
core.setFailed(`Cosign verify command failed: ${execRes.stderr}`);
246+
return;
247+
}
248+
}
249+
}
250+
});
251+
}
165252
-
166253
name: Expose GitHub Runtime
167254
uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0

.github/workflows/build.yml

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,93 @@ jobs:
170170
with:
171171
script: |
172172
await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]);
173+
-
174+
name: Install Cosign
175+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
176+
env:
177+
INPUT_COSIGN-VERSION: ${{ env.COSIGN_VERSION }}
178+
with:
179+
script: |
180+
const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
181+
const { Install } = require('@docker/actions-toolkit/lib/cosign/install');
182+
183+
const inpCosignVersion = core.getInput('cosign-version');
184+
185+
const cosignInstall = new Install();
186+
const cosignBinPath = await cosignInstall.download({
187+
version: core.getInput('cosign-version'),
188+
ghaNoCache: true,
189+
skipState: true,
190+
verifySignature: true
191+
});
192+
const cosignPath = await cosignInstall.install(cosignBinPath);
193+
194+
const cosign = new Cosign();
195+
await cosign.printVersion();
196+
-
197+
name: Set up Docker Buildx
198+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
199+
with:
200+
version: ${{ env.BUILDX_VERSION }}
201+
cache-binary: false
202+
buildkitd-flags: --debug
203+
-
204+
name: Check dependencies signatures
205+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
206+
env:
207+
INPUT_IMAGES: |
208+
${{ env.BUILDKIT_IMAGE }}
209+
${{ env.SBOM_IMAGE }}
210+
${{ env.BINFMT_IMAGE }}
211+
with:
212+
script: |
213+
const { ImageTools } = require('@docker/actions-toolkit/lib/buildx/imagetools');
214+
const { Cosign } = require('@docker/actions-toolkit/lib/cosign/cosign');
215+
216+
const inpImages = core.getMultilineInput('images');
217+
const imageTools = new ImageTools();
218+
219+
for (const image of inpImages) {
220+
await core.group(`Verifying ${image}`, async () => {
221+
const attestationDigests = await imageTools.attestationDigests(image);
222+
if (attestationDigests.length === 0) {
223+
core.setFailed(`No attestation manifests found for ${image}`);
224+
return;
225+
}
226+
const imageName = image.split(':', 1)[0];
227+
for (const attestationDigest of attestationDigests) {
228+
const attestationRef = `${imageName}@${attestationDigest}`;
229+
const cosignArgs = [
230+
'verify',
231+
'--experimental-oci11',
232+
'--new-bundle-format',
233+
'--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
234+
'--certificate-identity-regexp', `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$`
235+
];
236+
core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
237+
const execRes = await exec.getExecOutput('cosign', ['--verbose', ...cosignArgs, attestationRef], {
238+
ignoreReturnCode: true,
239+
silent: true,
240+
env: Object.assign({}, process.env, {
241+
COSIGN_EXPERIMENTAL: '1'
242+
})
243+
});
244+
const verifyResult = Cosign.parseCommandOutput(execRes.stderr.trim());
245+
if (execRes.exitCode === 0) {
246+
core.info(`Signature manifest verified: https://oci.dag.dev/?image=${signedRes.imageName}@${verifyResult.signatureManifestDigest}`);
247+
} else {
248+
if (verifyResult.errors && verifyResult.errors.length > 0) {
249+
const errorMessages = verifyResult.errors.map(e => `- [${e.code}] ${e.message} : ${e.detail}`).join('\n');
250+
core.setFailed(`Cosign verify command failed with errors:\n${errorMessages}`);
251+
return;
252+
} else {
253+
core.setFailed(`Cosign verify command failed: ${execRes.stderr}`);
254+
return;
255+
}
256+
}
257+
}
258+
});
259+
}
173260
-
174261
name: Expose GitHub Runtime
175262
uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0

0 commit comments

Comments
 (0)