feat(cd): sign released container images and Helm chart (microsoft#160)

# Description Sign released container images with Cosign and Helm chart with `helm package --sign` ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. Closes microsoft#141 ## Checklist - [x] I have read the [contributing documantation](https://retina.sh/docs/contributing). - [x] I signed and signed-off the commits (`git commit -S -s ...`) - [x] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) N/A ## Additional Notes In order for testing this change, please create a GPG private key and a Cosign private key and deposit as GH secrets for this repo --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. --------- Signed-off-by: hainenber <[email protected]> Signed-off-by: Đỗ Trọng Hải <[email protected]> Signed-off-by: Evan Baker <[email protected]> Co-authored-by: Evan Baker <[email protected]>
andreev-io · Apr 5, 2024 · ef779b6 · ef779b6
1 parent 75d98d8
commit ef779b6
Show file tree

Hide file tree

Showing 5 changed files with 100 additions and 7 deletions.
diff --git a/.github/workflows/release-charts.yaml b/.github/workflows/release-charts.yaml
@@ -8,6 +8,9 @@ on:
 permissions:
   contents: read
   packages: write
+  # This is used to complete the identity challenge
+  # with sigstore/fulcio when running outside of PRs.
+  id-token: write
 
 jobs:
   push-retina-charts:
@@ -22,15 +25,24 @@ jobs:
 
       - uses: azure/[email protected]
         id: install
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
 
-      - name: Log in to registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u $ --password-stdin
-
-      - name: Build/Push Chart
+      - name: Log in to registry (Helm for pushing chart, Docker for signing and push signature)
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u $ --password-stdin
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
+      
+      - name: Build, Push and Sign chart
+        id: build_chart
         shell: bash
         run: |
           set -euo pipefail
           export TAG=$(make version)
-          echo $TAG
           helm package ./deploy/manifests/controller/helm/retina --version $TAG
-          helm push retina-$TAG.tgz oci://ghcr.io/${{ github.repository }}/charts
+          # Get Helm chart's SHA digest from helm push cmd output
+          helm push retina-$TAG.tgz oci://ghcr.io/${{ github.repository }}/charts >> helm_push_result.txt 2>&1
+          cat helm_push_result.txt
+          cosign sign --yes ghcr.io/${{ github.repository }}/charts/retina@$(tail -n 1 helm_push_result.txt | awk '{ print $2 }')
+
diff --git a/.github/workflows/release-images.yaml b/.github/workflows/release-images.yaml
@@ -8,6 +8,9 @@ on:
 permissions:
   contents: read
   packages: write
+  # This is used to complete the identity challenge
+  # with sigstore/fulcio when running outside of PRs.
+  id-token: write
 
 jobs:
   retina-images:
@@ -27,6 +30,9 @@ jobs:
         with:
           go-version: ">=1.21.0"
       - run: go version
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -43,6 +49,15 @@ jobs:
             IMAGE_NAMESPACE=${{ github.repository }} \
             PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
             BUILDX_ACTION=--push
+      
+      - name: Sign container image
+        run: |
+          for image in retina-agent retina-init; do
+            IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}"
+            DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) 
+            cosign sign --yes ${IMAGE_PATH}@${DIGEST} 
+          done
+
 
   retina-win-images:
     name: Build Agent Windows Images
@@ -62,6 +77,9 @@ jobs:
           go-version: ">=1.21.0"
       - run: go version
 
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -78,6 +96,16 @@ jobs:
             PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
             BUILDX_ACTION=--push
 
+      - name: Sign container image
+        run: |
+          for year in 2019 2022; do
+            for image in retina-agent ; do
+              IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-windows-ltsc$year-${{ matrix.arch }}"
+              DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-windows-ltsc$year-${{ matrix.arch }}.json) 
+              cosign sign --yes ${IMAGE_PATH}@${DIGEST} 
+            done
+          done
+
   operator-images:
     name: Build Operator Images
     runs-on: ubuntu-latest
@@ -95,6 +123,9 @@ jobs:
         with:
           go-version: ">=1.21.0"
       - run: go version
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -111,6 +142,15 @@ jobs:
             IMAGE_NAMESPACE=${{ github.repository }} \
             PLATFORM=${{ matrix.platform }}/${{ matrix.arch }} \
             BUILDX_ACTION=--push
+          
+      - name: Sign container image
+        run: |
+          for image in retina-operator ; do
+              IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG-${{ matrix.platform }}-${{ matrix.arch }}"
+              DIGEST=$(jq -r '.["containerimage.digest"]' image-metadata-$image-$TAG-${{ matrix.platform }}-${{ matrix.arch }}.json) 
+              cosign sign --yes ${IMAGE_PATH}@${DIGEST} 
+          done
+
 
   manifests:
     name: Generate Manifests
@@ -127,6 +167,9 @@ jobs:
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
 
       - name: Log in to registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
@@ -138,3 +181,16 @@ jobs:
           make manifest \
             IMAGE_NAMESPACE=${{ github.repository }} \
             COMPONENT=${{ matrix.component }}
+
+      - name: Sign manifest
+        run: |
+          export TAG="$(make version)"
+          images=("retina-agent" "retina-init")
+          if [[ ${{ matrix.component }} == "operator" ]]; then
+            images=("retina-operator")
+          fi
+          for image in "${images[@]}"; do
+            IMAGE_PATH="ghcr.io/${{ github.repository }}/$image:$TAG"
+            DIGEST=$(docker buildx imagetools inspect $IMAGE_PATH --format "{{json .Manifest}}" | jq -r .digest)
+            cosign sign --yes ${IMAGE_PATH}@${DIGEST} 
+          done
diff --git a/Makefile b/Makefile
@@ -205,10 +205,14 @@ buildx:
 container-docker: buildx # util target to build container images using docker buildx. do not invoke directly.
 	os=$$(echo $(PLATFORM) | cut -d'/' -f1); \
 	arch=$$(echo $(PLATFORM) | cut -d'/' -f2); \
-	echo "Building for $$os/$$arch"; \
+	image_name=$$(basename $(IMAGE)); \
+	image_metadata_filename="image-metadata-$$image_name-$(TAG).json"; \
+	touch $$image_metadata_filename; \
+	echo "Building $$image_name for $$os/$$arch "; \
 	docker buildx build \
 		$(BUILDX_ACTION) \
 		--platform $(PLATFORM) \
+		--metadata-file=$$image_metadata_filename \
 		-f $(DOCKERFILE) \
 		--build-arg VERSION=$(VERSION) $(EXTRA_BUILD_ARGS) \
 		--build-arg GOOS=$$os \

diff --git a/README.md b/README.md
@@ -118,6 +118,17 @@ contact [[email protected]](mailto:[email protected]) with any additio
 
 [Read more about how to begin contributing here.](https://retina.sh/docs/contributing)
 
+### Verify signed images
+
+Retina images published to GHCR are cryptographically signed. You can verify their provenance with [`sigstore/cosign`](https://github.com/sigstore/cosign):
+
+```shell
+REPO=microsoft/retina # or your repo
+IMAGE=retina-operator # or other image to verify
+TAG=v0.0.6 # or other tag to verify OR replace with the image SHA256
+cosign verify ghcr.io/$REPO/$IMAGE:$TAG --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/$REPO" -o text
+```
+
 ### Office Hours and Community Meetings
 
 We host a periodic open community meeting. [Find the details here.](https://retina.sh/docs/contributing/#office-hours-and-community-meetings)

diff --git a/docs/installation/verify-signed-images.md b/docs/installation/verify-signed-images.md
@@ -0,0 +1,10 @@
+# Verify signed images
+
+Retina images published to GHCR are cryptographically signed. You can verify their provenance with [`sigstore/cosign`](https://github.com/sigstore/cosign):
+
+```shell
+REPO=microsoft/retina # or your repo
+IMAGE=retina-operator # or other image to verify
+TAG=v0.0.6 # or other tag to verify OR replace with the image SHA256
+cosign verify ghcr.io/$REPO/$IMAGE:$TAG --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/$REPO" -o text
+```