Add sigstore

thomasleplus · thomasleplus · commit ebc603c11a22 · 2025-02-26T20:27:55.000-06:00
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
@@ -8,7 +8,9 @@ on:
     - cron: "0 0 * * 0"
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  # Required by sigstore
+  id-token: write
 
 jobs:
   build:
@@ -48,3 +50,18 @@ jobs:
           sbom: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Install cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      - name: Sign the Docker image
+        working-directory: ${{ env.IMAGE }}
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        shell: bash
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          # shellcheck disable=SC2086
+          cosign sign --recursive --yes ${images}
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -5,7 +5,9 @@ on:
   release:
     types: [published]
 
-permissions: {}
+permissions:
+  # Required by sigstore
+  id-token: write
 
 jobs:
   release:
@@ -36,6 +38,7 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0
+        id: build
         with:
           context: ${{ env.REPOSITORY }}
           platforms: linux/amd64,linux/arm64
@@ -44,3 +47,18 @@ jobs:
           sbom: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Install cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      - name: Sign the Docker image
+        working-directory: ${{ env.REPOSITORY }}
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        shell: bash
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          # shellcheck disable=SC2086
+          cosign sign --recursive --yes ${images}
diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml
@@ -24,3 +24,12 @@ jobs:
       - name: Pull the latest ${{ matrix.platform }} image
         shell: bash
         run: docker pull --platform "${{ matrix.platform }}" "${GITHUB_REPOSITORY_OWNER}/${REPOSITORY}"
+      - name: Pull the latest ${{ matrix.platform }} image SBOM
+        shell: bash
+        run: docker buildx imagetools inspect "${GITHUB_REPOSITORY_OWNER}/${REPOSITORY}" --format "{{ json (index .SBOM \"${{ matrix.platform }}\").SPDX }}"
+      - name: Install cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      - name: Verify the Docker image signature
+        shell: bash
+        run: |
+          cosign verify "${GITHUB_REPOSITORY_OWNER}/${REPOSITORY}" --certificate-identity-regexp "https://github\.com/${GITHUB_REPOSITORY}/\.github/workflows/.+" --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
diff --git a/README.md b/README.md
@@ -253,6 +253,37 @@ docker buildx imagetools inspect leplusorg/openid-connect-provider-debugger --fo
 
 Replace `linux/amd64` by the desired platform (`linux/amd64`, `linux/arm64` etc.).
 
+### Sigstore
+
+[Sigstore](https://docs.sigstore.dev) is trying to improve supply
+chain security by allowing you to verify the origin of an
+artifcat. You can verify that the jar that you use was actually
+produced by this repository. This means that if you verify the
+signature of the ristretto jar, you can trust the integrity of the
+whole supply chain from code source, to CI/CD build, to distribution
+on Maven Central or whever you got the jar from.
+
+You can use the following command to verify the latest image using its
+sigstore signature attestation:
+
+```bash
+cosign verify leplusorg/openid-connect-provider-debugger --certificate-identity-regexp 'https://github\.com/leplusorg/docker-av/\.github/workflows/.+' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
+```
+
+The output should look something like this:
+
+```text
+Verification for index.docker.io/leplusorg/xml:main --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The code-signing certificate was verified using trusted certificate authority certificates
+
+[{"critical":...
+```
+
+For instructions on how to install `cosign`, please read this [documentation](https://docs.sigstore.dev/cosign/system_config/installation/).
+
 ## Credits
 
 This project is based on NGINX / OpenResty and all the actual OpenID
